HIPAA Security Risk Assessment Checklist for Small Practices
7 min read · Updated April 25, 2026
If you run a 1-10 provider practice, the Security Risk Assessment (SRA) is the single document an OCR investigator will ask for first. It is also the document most small practices either skip, copy from a template, or last touched three years ago. This guide walks through what the SRA actually has to contain, the nine elements OCR named in its 2010 guidance, a concrete asset inventory for a small practice, and how to document the parts most practices get wrong.
What an SRA is, in plain terms
The HIPAA Security Rule applies to electronic protected health information (ePHI). The Privacy Rule covers PHI in any form. The Security Rule, at 45 CFR 164.308(a)(1)(ii)(A), requires a covered entity to conduct an "accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information." This is a Required implementation specification, not addressable. Pair it with 45 CFR 164.308(a)(1)(ii)(B), the Risk Management standard, which requires you to actually do something about what the analysis finds.
An SRA is not a checklist of yes/no answers. It is a written analysis: what ePHI you have, where it flows, what could go wrong, how likely and how bad each scenario is, what you already do about it, and what you plan to do next.
The nine elements from the 2010 OCR guidance
OCR's Guidance on Risk Analysis Requirements (2010) names nine elements an SRA should contain. Federal technical guidance for these elements lives in NIST SP 800-66 Rev. 2 (February 2024), which is the current cybersecurity guidance for HIPAA. The nine elements:
- Scope of the Analysis. All ePHI the entity creates, receives, maintains, or transmits. Include every device, app, vendor, and location.
- Data Collection. Document where ePHI is stored, received, maintained, and transmitted. This is the asset and data flow inventory.
- Identify and Document Potential Threats and Vulnerabilities. Realistic threats specific to your environment, not a copy of a generic list.
- Assess Current Security Measures. What you already have in place: MFA, full disk encryption, EHR audit logs, locked file rooms, BAAs, etc.
- Determine the Likelihood of Threat Occurrence. A reasoned estimate (often low / medium / high) for each threat-vulnerability pair.
- Determine the Potential Impact of Threat Occurrence. What happens if it goes wrong: number of records, downtime, regulatory exposure.
- Determine the Level of Risk. A function of likelihood and impact, with a clear ranking so you know what to fix first.
- Finalize Documentation. Written analysis, dated and signed, retained for at least six years per
45 CFR 164.316(b)(2). - Periodic Review and Updates. Required under
45 CFR 164.316(b)(2)(iii). The current rule does not specify a fixed cadence. The December 2024 HHS NPRM proposes annual, but that proposal is not in effect as of April 2026.
Asset and data flow inventory for a small practice
Most small practices fail the Data Collection element because they list "the EHR" and stop. Be granular. A working inventory for a 1-10 provider office usually includes:
- EHR / PM system. Cloud or on-prem, vendor name, who has logins, MFA status, audit log retention.
- Workstations and laptops. Make, OS, full disk encryption status, who uses each, automatic logoff configured.
- Phones and tablets. Personal vs practice-owned, mobile device management, whether the EHR app or email is on them.
- Backups. Where the backup lives, whether it is encrypted, who can restore it, last tested restore date.
- Scanners, copiers, multifunction printers. Internal hard drives, where scanned files land, who picks them up.
- Fax. Physical fax, fax-to-email, eFax service. Each is different. eFax services almost always need a BAA.
- Cloud storage. Google Drive, OneDrive, Dropbox, anything else. BAA in place? Folder permissions reviewed?
- Vendor portals. Clearinghouse, payer portals, lab portals, imaging. Who has logins, MFA status, offboarding process.
- Email. Domain, provider, BAA in place if ePHI ever moves through it, encryption option for outbound.
- Paper. Charts in transit, sign-in sheets, fax queues, shred bin. The Privacy Rule still applies.
For each asset, note where ePHI enters, where it sits, where it leaves, and who has access. This is the spine of the entire SRA.
Threat categories small practices actually face
Skip the generic threat catalog. Assess the threats that hit small offices in the wild:
- Phishing of staff credentials, especially for the EHR and email.
- Lost or stolen laptop or phone with ePHI cached or with email access.
- Ransomware through an unpatched workstation, RDP, or a malicious attachment.
- Insider snooping, a staff member looking at records they have no need to see.
- Vendor breach, a clearinghouse, billing service, or transcription vendor losing data.
- Unencrypted backup drive in a desk drawer or sent home with a manager.
- Misdirected fax or email, the most common small-practice incident type.
For each, write one or two sentences on likelihood and impact in your specific environment. A solo practice with one part-time biller and a cloud EHR has a different threat profile than a 10-provider multispecialty office, and your SRA should read like it.
Addressable is not optional
This is the most misread word in the Security Rule. Under 45 CFR 164.306(d), an addressable specification is not optional. For each addressable spec you must either implement it, implement an equivalent alternative, or document in writing why neither is reasonable and appropriate, and what compensating controls you use instead. Common addressable specs people gloss over: encryption of ePHI at rest 164.312(a)(2)(iv), automatic logoff 164.312(a)(2)(iii), and encryption of transmissions 164.312(e)(2)(ii). Each one needs a real decision memo if you are not implementing it as written.
Using the ONC SRA Tool
The ONC SRA Tool on HealthIT.gov is a free, downloadable worksheet that walks through Security Rule standards with prompts. It is a defensible starting point for a small practice. HHS is explicit that using the tool does not guarantee compliance with the Security Rule. The tool cannot see your assets, your vendors, or your data flows. Treat it as a structured questionnaire that prompts the right questions, then layer in:
- Your asset and data flow inventory (above).
- A written threat list specific to your practice.
- Current safeguards and gaps.
- A risk register and remediation plan with owners and dates.
- Decision memos for each addressable spec you did not implement as written.
Periodic review
45 CFR 164.316(b)(2)(iii) requires you to review and update documentation periodically as needed in response to environmental or operational changes. The current rule does not name a cadence. A reasonable practice cadence: full SRA on any material change (new EHR, new location, new vendor with ePHI access, ransomware or other incident) and a regular cycle so it does not go stale. The December 2024 HHS NPRM proposes an explicit annual requirement; that proposal is not in effect as of April 2026, so be careful not to describe annual as a current mandate.
Where D3rx fits
The D3rx Security Risk Analysis organizes SRA answers, asset inventory, threat list, addressable-spec decision memos, and supporting evidence into one audit-ready binder, with timestamps and report history. It produces point-in-time assessment materials and keeps the evidence together when you need to hand it over. It does not certify compliance, provide legal advice, or guarantee an OCR audit outcome. The analysis and the decisions are still yours.
If you can produce, on 24 hours notice, a dated SRA narrative, an asset inventory, a threat list with likelihood and impact, a remediation plan with owners, and decision memos for every addressable spec you did not implement, you are ahead of most small practices. That is the bar to aim at.
Disclaimer
This guide is informational; not legal advice. D3rx organizes documentation and produces point-in-time assessment materials to support your Security Risk Assessment. It does not certify HIPAA status, replace counsel, or guarantee any regulatory outcome. For decisions specific to your practice, consult qualified privacy and security counsel.
Have a billing question?
Ask D3 →Frequently asked
Does HIPAA require an annual Security Risk Assessment?
The current Security Rule at 45 CFR 164.308(a)(1)(ii)(A) requires a risk analysis but does not name a fixed cadence. It says the analysis must be accurate and thorough, and the rule separately requires periodic review and updates under 164.316(b)(2)(iii). In practice, OCR and most auditors expect a fresh assessment whenever you have material changes (new EHR, new location, ransomware incident, new vendor with ePHI access) and on a regular cycle so the document does not go stale. A December 2024 HHS NPRM proposes an explicit annual cadence, but as of April 2026 that proposal is not in effect. Many small practices choose annual on their own because it lines up with insurance renewal and Medicare attestation. That is a reasonable cadence, just do not call it a HIPAA mandate.
Is the ONC SRA Tool from HealthIT.gov enough on its own?
It is a fine starting point and a defensible scaffolding for a small practice, but HHS itself states that using the tool does not guarantee compliance with the Security Rule. The tool walks you through questions mapped to the standards, but it does not know your asset inventory, your data flows, your vendors, or your physical layout. You still have to write the narrative: what ePHI you have, where it lives, who touches it, what you considered, and what you decided. Treat the ONC tool as a worksheet that prompts the right questions. Layer in your own asset and data flow inventory, threat list, current safeguards, and a remediation plan. That combination is what an investigator actually wants to see, not a printout of the tool by itself.
How do I document that we considered an addressable specification?
Under 45 CFR 164.306(d), addressable does not mean optional. For each addressable spec (encryption at rest, automatic logoff, encryption of transmissions, etc.) you have three paths: implement it as written, implement an equivalent alternative, or document in writing why neither is reasonable and appropriate for your environment, plus what compensating controls you use. The documentation should name the spec, describe your environment, list the alternatives you weighed, and state the decision and the date. Vague notes like not feasible will not hold up. Be specific: cost, workflow impact, technical constraints, and what you do instead. Re-review the decision when your environment changes. D3rx can store these decision memos and supporting evidence in the Compliance Binder so they are easy to produce on request.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
No external citations found — this guide synthesizes from multiple sources.
Sources verified as of April 25, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- BillingBusiness Associate Agreement Checklist for Small PracticesA working checklist for small practices to identify which vendors need a Business Associate Agreement, what clauses the BAA must contain, and how to track them.
- BillingHIPAA Training Log Requirements for Small PracticesWhat HIPAA actually requires for workforce training, what your training log should contain, and how long to keep it. Built for small practices and office managers.
- BillingRisk Register and 30/60/90 Remediation Plan: A Practical Guide for Small PracticesA practical template for turning your Security Risk Assessment into a living risk register plus a 30/60/90 remediation plan, with the CFR anchors small practices need.
- SRAHIPAA Risk Analysis Cost: What Small Practices Actually PayWhat a small practice can realistically expect to spend on a HIPAA Security Risk Analysis: the free HHS tool, paid software ranges, and consultant engagements, with the buyer questions that prevent overpaying.
- ComplianceAmbulatory Surgery Center Compliance: CMS + State + Infection Control42 CFR Part 416 Conditions for Coverage, CMS State Operations Manual Appendix L, the ASC Infection Control Surveyor Worksheet, and where state ASC licensure tightens the standard.
- Glossary60-Day Overpayment RuleACA requirement that Medicare and Medicaid overpayments be reported and returned within 60 days of identification.
- RegulationHIPAA Accounting of Disclosures (45 CFR 164.528)Individuals may request an accounting of disclosures of their PHI made by a covered entity in the prior six years, with a defined list of exclusions.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.