Skip to main content
CoreFolioHIPAA
How-to

How to do a HIPAA risk analysis without a $15,000 consultant

The Security Rule requires every covered entity to conduct an accurate, thorough risk analysis. Here is what that actually means, what it has to contain, and how to do it yourself.

5-minute read

The HIPAA Security Rule has been in effect since 2005. It requires every covered entity to conduct a risk analysis. And yet, risk analysis failure is the most common finding in OCR settlements, year after year.

Why? Because the requirement sounds intimidating. "An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity." That is the actual regulatory language, from 45 CFR § 164.308(a)(1)(ii)(A).

Most small practices read that sentence and call a consultant. This article explains what that requirement actually means — and how to do it without spending five figures.

What the rule actually requires

The Security Rule does not prescribe a format. It does not require a 200-page document. It requires documentation that demonstrates you have identified the ePHI your practice creates, receives, maintains, or transmits; identified the threats and vulnerabilities to that ePHI; analyzed the likelihood and impact of each; and documented the results.

HHS published guidance in 2010 that maps this to a seven-step process based on NIST Special Publication 800-30. The steps are:

  1. Scope — define the systems, locations, and workflows that touch ePHI
  2. Gather data — inventory every device, system, and person that handles ePHI
  3. Identify threats — the things that could go wrong (ransomware, lost laptop, insider error)
  4. Identify vulnerabilities — the gaps in your defenses that would make a threat possible
  5. Assess current controls — what you already have in place
  6. Determine likelihood and impact — for each threat-vulnerability pair
  7. Document — the process, findings, and planned responses

That is it. A well-organized spreadsheet or a guided tool that captures this information, dated and signed by whoever is responsible for HIPAA compliance, is a risk analysis under 45 CFR § 164.308(a)(1)(ii)(A).

What OCR looks for

Based on the pattern of Risk Analysis Initiative settlements (2024–2025), OCR's investigators look for three things:

Existence. Does a document exist? Is it current (dated within the past 12 months, or in the proposed 2026 rule, explicitly dated to a calendar year)? Many practices fail here — they did a risk analysis in 2018 and never updated it.

Scope. Does it cover all ePHI the practice holds, not just the EHR? OCR has cited practices for not including email (which often contains ePHI), fax machines, mobile devices used by staff, and cloud backups. If your practice uses any of these, they need to be in the analysis.

Specificity. Does it name actual threats — ransomware, phishing, lost laptops, unauthorized access — or does it say something vague like "cyber threats exist"? Vague documentation is almost as bad as no documentation.

The biggest common mistakes

Treating the SRA Tool as the end goal. The HHS SRA Tool (a free Windows desktop application) is a starting point. It generates questions. But the answers live in its proprietary database, the export is a static PDF, and it has not been meaningfully updated for the 2026 proposed rule. Running through the tool and printing the PDF is better than nothing, but OCR looks at the substance of the analysis, not the format.

Scope too narrow. The rule covers ePHI in any form. A family practice that uses athenahealth as its EHR but emails lab results to patients is handling ePHI in email. A behavioral health practice that uses Zoom for telehealth needs to assess that transmission path. The scope has to follow the ePHI, not the EHR.

One-time event. The 2013 rule already requires periodic review. The proposed 2026 rule would make annual explicitly mandatory. Either way, a 2019 risk analysis does not satisfy the current requirement. Regulators expect to see a dated, current document.

No plan. The risk analysis is step one. Step two, required separately under 45 CFR § 164.308(a)(1)(ii)(B), is a risk management plan: a documented response to the risks you identified. Both artifacts need to exist. OCR consistently cites both in settlements.

How long it actually takes

For a practice with 1–25 employees, a first-time risk analysis — done with a guided tool, not starting from a blank page — takes most office managers or practice owners about 60–90 minutes. The first run is longer because you are collecting information you may not have at your fingertips (every device that touches ePHI, every vendor who handles patient data, the network topology). Annual updates, once you have a baseline, are typically 20–30 minutes.

The $15,000 consultant fee mostly pays for two things: the consultant's liability (they are taking responsibility for the accuracy of what they write) and their time gathering the information from your practice. If you own the information — and you do, because you run the practice — you can do this work yourself with the right structure.

What you need before you start

Before you open any risk analysis tool, gather:

  • A list of every device in the practice (computers, tablets, phones, printers, servers, backup drives) that might store or transmit ePHI
  • Your primary EHR vendor name (and whether it is cloud-hosted or locally installed)
  • Other vendors who receive ePHI: billing company, lab interfaces, telehealth platform, cloud backup
  • Whether your practice uses email for patient communication, and what system
  • Whether staff access practice systems remotely, and how
  • Whether you have a written Notice of Privacy Practices, a sanctions policy, and workforce training records (these do not affect the risk analysis but often come up in remediation)

With that information in hand, a structured guided assessment can walk you through the rest.

The output you are trying to produce

The documentation you walk away with should answer these questions clearly:

  1. What ePHI do we hold, where does it live, and who can access it?
  2. What could go wrong with that ePHI? (Threats and vulnerabilities, not in the abstract — name the EHR, name the cloud service, name the device)
  3. How likely is each problem, and how bad would it be?
  4. What are we doing about the most significant risks? (The risk management plan)

If you can answer those four questions with dated, signed documentation, you have a defensible risk analysis under 45 CFR § 164.308(a)(1)(ii)(A).

Sources: 45 CFR § 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR § 164.308(a)(1)(ii)(B) (risk management plan); HHS OCR Guidance on Risk Analysis (2010); NIST SP 800-30 Rev. 1 (2012). NPRM: HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 90 Fed. Reg. 898 (Jan. 6, 2025).