HIPAA Security Risk Assessment Checklist for Small Practices

If you run a 1-10 provider practice, the Security Risk Assessment (SRA) is the single document an OCR investigator will ask for first. It is also the document most small practices either skip, copy from a template, or last touched three years ago. This guide walks through what the SRA actually has to contain, the nine elements OCR named in its 2010 guidance, a concrete asset inventory for a small practice, and how to document the parts most practices get wrong.

What an SRA is, in plain terms

The HIPAA Security Rule applies to electronic protected health information (ePHI). The Privacy Rule covers PHI in any form. The Security Rule, at 45 CFR 164.308(a)(1)(ii)(A), requires a covered entity to conduct an "accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information." This is a Required implementation specification, not addressable. Pair it with 45 CFR 164.308(a)(1)(ii)(B), the Risk Management standard, which requires you to actually do something about what the analysis finds.

An SRA is not a checklist of yes/no answers. It is a written analysis: what ePHI you have, where it flows, what could go wrong, how likely and how bad each scenario is, what you already do about it, and what you plan to do next.

The nine elements from the 2010 OCR guidance

OCR's Guidance on Risk Analysis Requirements (2010) names nine elements an SRA should contain. Federal technical guidance for these elements lives in NIST SP 800-66 Rev. 2 (February 2024), which is the current cybersecurity guidance for HIPAA. The nine elements:

1. Scope of the Analysis. All ePHI the entity creates, receives, maintains, or transmits. Include every device, app, vendor, and location.
2. Data Collection. Document where ePHI is stored, received, maintained, and transmitted. This is the asset and data flow inventory.
3. Identify and Document Potential Threats and Vulnerabilities. Realistic threats specific to your environment, not a copy of a generic list.
4. Assess Current Security Measures. What you already have in place: MFA, full disk encryption, EHR audit logs, locked file rooms, BAAs, etc.
5. Determine the Likelihood of Threat Occurrence. A reasoned estimate (often low / medium / high) for each threat-vulnerability pair.
6. Determine the Potential Impact of Threat Occurrence. What happens if it goes wrong: number of records, downtime, regulatory exposure.
7. Determine the Level of Risk. A function of likelihood and impact, with a clear ranking so you know what to fix first.
8. Finalize Documentation. Written analysis, dated and signed, retained for at least six years per 45 CFR 164.316(b)(2).
9. Periodic Review and Updates. Required under 45 CFR 164.316(b)(2)(iii). The current rule does not specify a fixed cadence. The December 2024 HHS NPRM proposes annual, but that proposal is not in effect as of April 2026.

Asset and data flow inventory for a small practice

Most small practices fail the Data Collection element because they list "the EHR" and stop. Be granular. A working inventory for a 1-10 provider office usually includes:

• EHR / PM system. Cloud or on-prem, vendor name, who has logins, MFA status, audit log retention.
• Workstations and laptops. Make, OS, full disk encryption status, who uses each, automatic logoff configured.
• Phones and tablets. Personal vs practice-owned, mobile device management, whether the EHR app or email is on them.
• Backups. Where the backup lives, whether it is encrypted, who can restore it, last tested restore date.
• Scanners, copiers, multifunction printers. Internal hard drives, where scanned files land, who picks them up.
• Fax. Physical fax, fax-to-email, eFax service. Each is different. eFax services almost always need a BAA.
• Cloud storage. Google Drive, OneDrive, Dropbox, anything else. BAA in place? Folder permissions reviewed?
• Vendor portals. Clearinghouse, payer portals, lab portals, imaging. Who has logins, MFA status, offboarding process.
• Email. Domain, provider, BAA in place if ePHI ever moves through it, encryption option for outbound.
• Paper. Charts in transit, sign-in sheets, fax queues, shred bin. The Privacy Rule still applies.

For each asset, note where ePHI enters, where it sits, where it leaves, and who has access. This is the spine of the entire SRA.

Threat categories small practices actually face

Skip the generic threat catalog. Assess the threats that hit small offices in the wild:

• Phishing of staff credentials, especially for the EHR and email.
• Lost or stolen laptop or phone with ePHI cached or with email access.
• Ransomware through an unpatched workstation, RDP, or a malicious attachment.
• Insider snooping, a staff member looking at records they have no need to see.
• Vendor breach, a clearinghouse, billing service, or transcription vendor losing data.
• Unencrypted backup drive in a desk drawer or sent home with a manager.
• Misdirected fax or email, the most common small-practice incident type.

For each, write one or two sentences on likelihood and impact in your specific environment. A solo practice with one part-time biller and a cloud EHR has a different threat profile than a 10-provider multispecialty office, and your SRA should read like it.

Addressable is not optional

This is the most misread word in the Security Rule. Under 45 CFR 164.306(d), an addressable specification is not optional. For each addressable spec you must either implement it, implement an equivalent alternative, or document in writing why neither is reasonable and appropriate, and what compensating controls you use instead. Common addressable specs people gloss over: encryption of ePHI at rest 164.312(a)(2)(iv), automatic logoff 164.312(a)(2)(iii), and encryption of transmissions 164.312(e)(2)(ii). Each one needs a real decision memo if you are not implementing it as written.

Using the ONC SRA Tool

The ONC SRA Tool on HealthIT.gov is a free, downloadable worksheet that walks through Security Rule standards with prompts. It is a defensible starting point for a small practice. HHS is explicit that using the tool does not guarantee compliance with the Security Rule. The tool cannot see your assets, your vendors, or your data flows. Treat it as a structured questionnaire that prompts the right questions, then layer in:

• Your asset and data flow inventory (above).
• A written threat list specific to your practice.
• Current safeguards and gaps.
• A risk register and remediation plan with owners and dates.
• Decision memos for each addressable spec you did not implement as written.

Periodic review

45 CFR 164.316(b)(2)(iii) requires you to review and update documentation periodically as needed in response to environmental or operational changes. The current rule does not name a cadence. A reasonable practice cadence: full SRA on any material change (new EHR, new location, new vendor with ePHI access, ransomware or other incident) and a regular cycle so it does not go stale. The December 2024 HHS NPRM proposes an explicit annual requirement; that proposal is not in effect as of April 2026, so be careful not to describe annual as a current mandate.

Where D3rx fits

The D3rx Compliance Binder organizes SRA answers, asset inventory, threat list, addressable-spec decision memos, and supporting evidence in one place, with timestamps and report history. It produces point-in-time assessment materials and keeps the evidence together when you need to hand it over. It does not certify compliance, provide legal advice, or guarantee an OCR audit outcome. The analysis and the decisions are still yours.

If you can produce, on 24 hours notice, a dated SRA narrative, an asset inventory, a threat list with likelihood and impact, a remediation plan with owners, and decision memos for every addressable spec you did not implement, you are ahead of most small practices. That is the bar to aim at.

Disclaimer

This guide is informational; not legal advice. D3rx organizes documentation and produces point-in-time assessment materials to support your Security Risk Assessment. It does not certify HIPAA status, replace counsel, or guarantee any regulatory outcome. For decisions specific to your practice, consult qualified privacy and security counsel.