How to Conduct a HIPAA Security Risk Assessment (SRA) for Healthcare Providers

February 16th, 2024 | Healthcare, IT Audits, IT Consulting

As healthcare providers, safeguarding patient information is paramount. The Health Insurance Portability and Accountability Act (HIPAA) mandates that organizations conduct regular Security Risk Assessments (SRAs) to identify vulnerabilities and protect sensitive data. After conducting an assessment, you need to operationalize the findings by updating your security policies to address your gaps.

How to Conduct a HIPAA Security Risk Assessment (SRA) for Healthcare Providers

What is a Security Risk Assessment (SRA)? 

An SRA evaluates an organization’s security posture by assessing risks related to electronic protected health information (ePHI). It helps healthcare providers identify potential threats, vulnerabilities, and gaps in their security practices. 

The HealthIT Security Risk Assessment Tool 

The Security Risk Assessment Tool provides a structured approach to conducting an SRA. The HealthIT Security Risk Assessment evaluates how well an organization protects electronic health information. Covering areas like administrative, physical, and technical safeguards, policies, breach response, and agreements with partners. This assessment helps healthcare providers find weaknesses in their security and meet HIPAA requirements for keeping patient data safe. 

It consists of approximately 120 multiple-choice, rubric-scored questions divided into seven sections:

  • Section 1: Security Risk Assessment (SRA) Basics (security management process)
  • Section 2: Security Policies, Procedures, & Documentation (defining policies & procedures)
  • Section 3: Security & Your Workforce (defining access to systems and workforce training)
  • Section 4: Security & Your Data (technical security procedures)
  • Section 5: Security & Your Practice (physical security procedures)
  • Section 6: Security & Your Vendors (business associate agreements and vendor access to PHI)
  • Section 7: Contingency Planning (backups and data recovery plans)

Let’s break down the process of running your own Security Risk Assessment: 


  • Allocate at least six hours for the assessment. 
  • Involve two to three leaders who are well-versed in your organization’s operations. 

Collaborative sessions with your IT team 

  • Over one to two weeks, engage in three to four two-hour sessions with your team. 
  • Use the SRA workbook provided by 
  • If your internal team lacks the resources or expertise, use an external IT firm 


  • Answer questions honestly, reflecting your current operating state. 
  • Highlight potential risks and gaps based on your responses. 

Risk Indicators and Recommendations: 

  • Identify risk indicators. 
  • Summarize findings into actionable recommendations and a roadmap. 

Follow-up Actions 

  • Expect to spend at least 30 hours on following up on the recommendations to address your gaps 

Maintaining HIPAA Compliance with a Security Manual 

It is one thing to run a security assessment and fixing your immediate gaps, and another to operationalize those findings so that you can maintain compliance. The key to protecting your patient’s data is to turn your assessment findings into security policies that are kept in a security manual. Your security policies are only effective if your team is aware of your security manual, has read it, and the policies within it are reinforced from the top-down. Here is a simple outline you can follow to manage your security manual: 

Review the Manual: 

  • Familiarize yourself with the manual’s content. 
  • Ensure it covers essential security policies. 

Operational Affirmation: 

  • Confirm adherence to policies. 
  • Verify that your organization’s contingency plans address cybersecurity events. 

Collaborative Control Assessment: 

  • Collaborate with relevant stakeholders. 
  • Clarify responsibilities for each control. 
  • Document control implementation status. 

Manual Validation and Revision: 

  • Capture annotations, comments, and revisions in a working Microsoft Word draft of the security manual. 
  • Optionally, produce a revised version if needed. 
  • Key stakeholders participate in a coordinated review and acceptance of the draft. 

Safeguarding Your Patient’s Data 

By diligently conducting SRAs, adhering to security policies, collaborating on control assessments, and implementing recommendations, healthcare providers can safeguard patient data, maintain compliance, and build trust. Remember, protecting ePHI is not just a legal requirement—it’s a commitment to patient well-being. 

If your team needs help assessing your HIPAA compliance and addressing your gaps, contact Aldridge today.