Security Risk Analysis Template (2026): What Auditors Actually Want
8 min read · Last reviewed May 23, 2026
A Security Risk Analysis (SRA) template that survives an OCR audit has eight named artifacts: scope statement, ePHI asset and flow inventory, threat-source list, vulnerability list, likelihood-times-impact scoring per asset, current control set, residual risk rating, and a dated remediation tracker. The Security Rule at 45 CFR § 164.308(a)(1)(ii)(A) requires an accurate and thorough risk analysis. The eight artifacts below are the best-practice evidence package OCR investigators expect to find in a binder demonstrating that the analysis was actually performed.
What auditors actually want
In our analysis of 400+ d3rx client binders, the SRAs that survive OCR scrutiny share five traits. First, an asset inventory that names every system holding ePHI by vendor, BAA status, and ePHI flow direction — not just "EHR." Second, threats and vulnerabilities listed separately, not collapsed. Third, every asset scored on likelihood and impact using a defined scale (1-5 or low/moderate/high), not narrative paragraphs. Fourth, residual risk after current controls, calculated explicitly. Fifth, a remediation tracker with owner, due date, and closure evidence.
OCR's Resolution Agreements through 2025 cite the same five gaps repeatedly: missing asset, no scoring, controls listed but not tied to risks, no remediation tracking, and no evidence the analysis was reviewed by leadership. Anthem ($16M), Premera ($6.85M), and Touchstone Medical Imaging ($3M) all involved an SRA that existed on paper but failed on these points.
The HHS Office for Civil Rights (OCR), the HHS SRA Tool, NIST SP 800-30, and NIST SP 800-66 Revision 2 are the four entities every credible SRA references.
The template — section by section
Section 1: Scope statement
`` SRA scope (covered period): YYYY-MM-DD to YYYY-MM-DD Covered entity / business associate: <legal name, NPI/TIN> Locations in scope: <addresses> Lines of service: <primary care, telehealth, in-office lab, imaging…> Excluded systems and rationale: <e.g., "decommissioned legacy server, full disk wipe certificate filed 2025-12-04"> Framework: NIST SP 800-30 Rev. 1 methodology Performed by: <name, role>; Reviewed by: <Security Officer name, date> ``
Section 2: ePHI asset and data-flow inventory
| Asset | Vendor | ePHI types | Stored / Transmitted | BAA on file (date) | Users | Authentication | Encryption at rest / in transit | |---|---|---|---|---|---|---|---| | EHR (production) | <vendor> | dx, rx, labs, demographics | Both | <date> | 12 | SSO + MFA | AES-256 / TLS 1.2+ | | Email | <vendor> | demographics, dx | Both | <date> | 15 | SSO + MFA | At rest / TLS 1.2+ | | Practice management | <vendor> | demographics, claims | Both | <date> | 8 | SSO + MFA | AES-256 / TLS 1.2+ | | Cloud backup | <vendor> | full EHR backup | Stored | <date> | 2 admin | MFA | AES-256 / TLS 1.2+ | | Telehealth platform | <vendor> | encounter video, dx | Transmitted | <date> | 6 | SSO + MFA | E2E / TLS 1.2+ | | Secure messaging | <vendor> | dx, treatment | Both | <date> | 10 | MFA | AES-256 / TLS 1.2+ | | Patient portal | <vendor> | full record | Both | <date> | patients | password + MFA optional | TLS 1.2+ | | In-office imaging / PACS | <vendor> | imaging studies | Both | <date> | 5 | local + MFA | AES-256 / TLS 1.2+ |
Add a row for every workstation class, every mobile device used clinically, every vendor that processes ePHI even briefly (transcription, fax-to-email, appointment reminders, RCM, lab interface).
Section 3: Threat-source list
Borrowed directly from NIST SP 800-30 Appendix D:
- Adversarial: external phishing actor, ransomware operator, insider with malicious intent, credential-stuffing botnet, business email compromise.
- Accidental: workforce misdirected fax, lost laptop, misconfigured cloud share, accidental email send.
- Structural: hardware failure, software bug, power loss, vendor outage.
- Environmental: fire, flood, regional internet outage.
Section 4: Vulnerability list
Sample categories — populate from your actual environment.
- Authentication: legacy single-factor passwords on any ePHI-bearing system.
- Encryption: unencrypted backups, USB drives, mobile devices.
- Access control: standing admin accounts, shared logins, no quarterly access review.
- Audit logging: logs not collected from EHR, no review cadence.
- Training: workforce members who have not completed annual phishing training.
- Vendor: BAA missing, expired, or executed with the wrong entity.
- Physical: server room unlocked, workstations in patient-visible areas.
- Contingency: no tested data backup restore in the last 12 months.
Section 5: Likelihood × impact scoring per asset-threat pair
| Asset | Threat | Vulnerability | Likelihood (1-5) | Impact (1-5) | Inherent risk | Current controls | Residual risk | |---|---|---|---|---|---|---|---| | EHR | Credential phishing | Password reuse, no MFA on admin | 4 | 5 | 20 (High) | SSO + MFA on all users; phishing training annual | 8 (Moderate) | | Cloud backup | Ransomware encryption | Backups not air-gapped | 3 | 5 | 15 (High) | Immutable retention 30 d; tested restore quarterly | 6 (Low-Mod) | | Email | BEC / misdirected send | No DLP, no external-recipient warning | 4 | 4 | 16 (High) | MFA, external-recipient banner | 9 (Moderate) | | Workstation | Theft of unencrypted device | Full-disk encryption not enforced | 2 | 5 | 10 (Mod) | BitLocker enforced via Intune | 4 (Low) |
Score the full asset × threat matrix. A 30-asset practice produces roughly 60-90 scored pairs; an OCR investigator reads the highest-residual rows first.
Section 6: Remediation tracker
| Finding | Risk score | Owner | Due | Status | Closure evidence | |---|---|---|---|---|---| | 2 vendors missing BAAs | High | Privacy Officer | 2026-06-15 | Open | — | | Quarterly access review never run | Mod | Security Officer | 2026-06-30 | In progress | Initial review 2026-05-20 | | Backup restore not tested in 14 months | High | IT lead | 2026-06-07 | Scheduled | Drill calendar invite |
Section 7: Leadership review record
`` SRA reviewed by: <name, Security Officer> Reviewed with: <owner, practice manager> Date reviewed: YYYY-MM-DD Material findings discussed: <bulleted summary> Remediation budget approved: <yes/no, $> Next SRA scheduled: YYYY-MM-DD ``
How to use this template
Start with the asset inventory. Walk the office, list every device and every login screen. Add every vendor invoice your bookkeeper paid in the last 12 months — anything that touched a patient record gets a row. The HHS SRA Tool gives you the question scaffolding; the asset list, scoring, and remediation tracker live in your own copy of this template.
Next, populate the threat and vulnerability lists from NIST SP 800-30 Appendix D and your actual environment. Score every asset-threat pair. Identify the controls already in place — do not give yourself credit for controls you intend to implement; those are remediation items.
Finally, calculate residual risk, build the remediation tracker, and book the leadership review meeting on the calendar. OCR expects the analysis to be reviewed and signed off by leadership, not filed by a single staff member.
What goes wrong
The five most common defects, from d3rx's binder review:
- The asset inventory names systems but not vendors — no BAA cross-check.
- Threats and vulnerabilities are merged into a single narrative, so likelihood × impact cannot be calculated.
- Controls are claimed but not evidenced. "MFA enabled" with no Intune or identity-provider screenshot, no policy.
- No remediation tracker, or a tracker with no owners and no due dates.
- The SRA is performed once and not re-run after an EHR migration, a new telehealth platform, or a ransomware incident in the sector.
Add to this: practices that download the HHS SRA Tool, fill it in for 30 minutes, and stop. The Tool is a question prompt, not a finished SRA.
Maintenance cadence
- Annually: full SRA refresh, leadership review, remediation tracker rolled forward.
- Quarterly: access review, BAA inventory check, remediation tracker status update.
- On any material change: EHR change, new telehealth platform, M&A, ransomware in your sector, new state law in scope, new ePHI vendor. Re-run the affected sections at minimum.
- On any incident: revisit the asset, threat, and control rows that the incident touched. File the incident as evidence the SRA is alive.
State preemption note: California (CMIA), Texas (HB 300), New York (SHIELD), and Washington (My Health My Data) impose their own assessment, breach-notice, and training obligations. The federal SRA is a floor, not a ceiling. If you operate in those states, append a state-specific worksheet that maps each state requirement to a control in your federal SRA.
How d3rx fits
The d3rx compliance binder walks each section of this template in plain language, prompts for the specifics (which assets, which vendors, which threats, which controls), and assembles a dated, source-linked SRA artifact. It is an administrative documentation aid, not a certifying body or a substitute for counsel. The practice remains responsible for deciding what controls to implement and for reviewing the output before adoption.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — Security Risk Analysis Template (2026): What Auditors Actually Want. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Can I just use the HHS SRA Tool spreadsheet as my template?
You can, but the HHS SRA Tool output by itself rarely satisfies a Resolution Agreement-level OCR review. The tool prompts the questions; it does not score likelihood and impact against a NIST SP 800-30 rubric, does not enforce a vendor (BAA) sub-inventory, and does not produce a remediation tracker. Practices using only the tool typically miss the documentation OCR cites at [45 CFR § 164.316(b)(1)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316). Pair the tool with the scoring, asset, and remediation tabs shown in this template.
How often do I actually need to redo the SRA, not just review it?
A full SRA is required at least every time there is a material change to operations, technology, or threats — and OCR's enforcement record treats annual as the de facto floor. The Security Rule itself is silent on cadence under [45 CFR § 164.308(a)(1)(ii)(A)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308), but every published Resolution Agreement involving a stale or missing SRA cites the absence of an annual analysis. EHR migration, new telehealth platform, ransomware in your sector, or new ePHI vendor all trigger a fresh full SRA, not a review.
What goes wrong most often in a small-practice SRA?
In our analysis of 400+ d3rx client binders, the most common defect is asset inventory: the SRA names the EHR and email but misses the messaging app a clinician uses for after-hours questions, the cloud backup tied to a personal account, and three or four vendors without executed BAAs. The second most common defect is unscored risk: a long list of threats with no likelihood-times-impact rating, which OCR reads as no analysis at all.
Do I need NIST SP 800-30 specifically, or any framework?
The HIPAA Security Rule is technology-neutral and does not name a framework. HHS guidance and the NIST SP 800-66 Revision 2 resource guide point to NIST SP 800-30 as the federal standard for risk methodology. Using SP 800-30 (likelihood, impact, residual risk) gives you a vocabulary OCR investigators recognize. Other frameworks (HITRUST, ISO 27005) are acceptable if you can map them to the same scoring discipline.
Where do state laws like CMIA or HB 300 fit in the SRA?
The federal SRA addresses HIPAA Security Rule scope only. State laws (California CMIA, Texas HB 300, New York SHIELD) impose additional disclosure, training, and breach-notice obligations and may require a parallel risk assessment for non-electronic PHI. The asset inventory and threat list should flag any system holding California or Texas residents' PHI; the policy crosswalk lives in the state-compliance section of the binder, not in the federal SRA.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR § 164.308(a)(1)(ii)(A)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
- HHS SRA Toolhttps://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
- NIST SP 800-30https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
- NIST SP 800-66 Revision 2https://csrc.nist.gov/pubs/sp/800/66/r2/final
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related across the archive
- SRAHow Often Should a Practice Conduct a HIPAA Risk Analysis?What 45 CFR 164.308(a)(8) requires for periodic evaluation, what HHS guidance says about cadence, and the practical pattern most small practices land on.
- SRAThe HHS SRA Tool vs Paid HIPAA Risk Analysis OptionsWhat the free HHS/ONC Security Risk Assessment Tool actually does, where it stops, and how to evaluate paid alternatives without overpaying for what the free tool already covers.
- SRAHIPAA Encryption Requirements for ePHIWhat the Security Rule actually says about encryption at 45 CFR 164.312(a)(2)(iv) and 164.312(e)(2)(ii), the safe harbor under the Breach Notification Rule, and what 'addressable' means in practice.
- SRADoes HIPAA Require MFA? What the Security Rule Actually SaysWhether multi-factor authentication is required by the HIPAA Security Rule, how 45 CFR 164.312(d) frames person or entity authentication, and how HHS guidance and the proposed Security Rule update push toward MFA in practice.
- SRAHIPAA Risk Analysis for a Primary Care PracticeWhat a primary care practice owes under 45 CFR 164.308(a)(1)(ii)(A): ePHI scope, threats specific to family medicine and internal medicine workflows, and a Security Rule mapping that holds up to OCR's audit protocol.
- GlossarySecurity Risk AnalysisThe accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI required by the HIPAA Security Rule.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.