The security risk analysis is the single most important requirement in the HIPAA Security Rule. It is an administrative safeguard, but it drives nearly every other security decision an organization makes. It is also one of the most frequently cited deficiencies in OCR investigations.
What the rule requires
The Security Rule requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information (ePHI) they hold. The word "all" is significant: the analysis must be enterprise-wide, not limited to a single system or location.
Risk analysis vs. gap assessment
People often confuse a risk analysis with a checklist of Security Rule controls. They are related but different:
| Gap assessment | Risk analysis | |
|---|---|---|
| Question answered | Do we have each required control? | What are the actual risks to our ePHI, and how serious are they? |
| Output | List of missing controls | Prioritized risks with likelihood and impact |
| Required by the rule? | Helpful, but not the legal requirement | Yes - this is the requirement |
A gap assessment is a useful input, but it does not substitute for analyzing real-world threats and vulnerabilities to your specific environment.
Core elements
HHS guidance and NIST SP 800-66 Rev. 2 describe elements a thorough risk analysis should include:
- Define the scope - all ePHI, wherever it is created, received, maintained, or transmitted.
- Identify and document where ePHI lives and how it flows.
- Identify potential threats and vulnerabilities.
- Assess current security measures.
- Determine the likelihood and potential impact of threats exploiting vulnerabilities.
- Determine the level of risk.
- Document the analysis and use it to drive risk management.
It is ongoing, not annual paperwork
While many organizations refresh their risk analysis at least annually, the rule expects it to be current. Significant changes, such as adopting a new system, moving to the cloud, a merger, or a security incident, should prompt an update. The companion risk management process then addresses the risks the analysis identifies.
Why it matters so much
Beyond being a legal requirement, the risk analysis is the rational basis for prioritizing limited security resources. It tells you which risks are most serious so you can address them first. When OCR investigates a breach, one of its first questions is often whether the organization had a current, thorough risk analysis and acted on it. A strong analysis, paired with documented follow-through, is among the best evidence of a mature compliance program.
Frequent shortcomings
OCR resolution materials repeatedly describe risk analyses that fell short in predictable ways. Some were limited to a single application, such as the electronic health record, while ignoring email, file shares, imaging systems, mobile devices, and backups that also held ePHI. Others were one-time efforts never updated after major changes like a cloud migration or acquisition. Some existed on paper but never drove any remediation, so identified risks lingered unaddressed. And some relied entirely on a vendor questionnaire whose generic answers did not reflect the organization's actual environment. Recognizing these patterns helps an organization test whether its own analysis would withstand scrutiny.
Risk analysis feeds risk management
The analysis is not an end in itself; it is the input to the Security Rule's separate risk management requirement. Once risks are identified and rated, the organization must implement measures sufficient to reduce them to a reasonable and appropriate level, assigning owners and target dates and tracking the work to completion. The two activities form a loop: the analysis identifies and prioritizes risks, risk management addresses them, and the next analysis confirms progress and surfaces new issues as the environment evolves. An analysis that is never connected to action provides little protection and little defense.