HIPAA Security Risk Analysis Guides
Reference guides for small practices working on their HIPAA Security Risk Analysis. Every article is source-grounded against HHS, OCR, eCFR, and NIST publications — no marketing claims, no fabricated stats.
Administrative Safeguards
Audits and Enforcement
Change Healthcare Ransomware: What Small Practices Took Away
The February 2024 Change Healthcare cyberattack, what HHS and UnitedHealth Group disclosed, and the small-practice lessons about clearinghouse concentration risk, contingency planning, and the Security Rule's information system activity review.
6 min readThe HIPAA Breach Notification Rule, Explained
The four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
6 min readHIPAA Settlements and Civil Money Penalties: A Small-Practice Reading List
How HHS Office for Civil Rights publishes its enforcement record, the tiered civil money penalty structure at 45 CFR 160.404, and what recent small-practice settlements actually say.
5 min readWhat to Do If You Get an OCR Audit Letter
A step-by-step response framework for a small practice that receives an OCR HIPAA audit or investigation letter, drawn from OCR's audit protocol and published Resolution Agreements.
5 min readOCR Audit Protocol: What Small Practices Should Expect
How the HHS Office for Civil Rights HIPAA Audit Protocol is structured, what OCR has publicly announced about the audit program restart, and how a small practice prepares its binder against the protocol's audited elements.
5 min readBy Specialty
HIPAA Risk Analysis for a Dental Practice
How a small dental practice approaches the HIPAA Security Risk Analysis required by 45 CFR 164.308(a)(1)(ii)(A), with practical scope, ePHI flows, and Security Rule references.
5 min readHIPAA Risk Analysis for a Mental Health Practice
What therapists, psychologists, and psychiatry practices need in a HIPAA Security Risk Analysis, including the psychotherapy notes carve-out at 45 CFR 164.501 and 164.508(a)(2).
5 min readHIPAA Risk Analysis for a Physical Therapy Practice
What an outpatient physical therapy clinic owes under 45 CFR 164.308(a)(1)(ii)(A), with the ePHI workflows specific to PT, OT, and rehab settings.
5 min readHIPAA Risk Analysis for a Primary Care Practice
What a primary care practice owes under 45 CFR 164.308(a)(1)(ii)(A): ePHI scope, threats specific to family medicine and internal medicine workflows, and a Security Rule mapping that holds up to OCR's audit protocol.
5 min readFoundations
CMS Promoting Interoperability and the Security Risk Analysis Attestation
How the CMS Promoting Interoperability program (formerly Meaningful Use) requires a HIPAA Security Risk Analysis for each EHR reporting period, what the attestation actually claims, and how CMS audits it after the fact.
5 min readHIPAA Policies and Procedures: What a Small Practice Actually Needs
What 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
5 min readHIPAA Security Rule vs Privacy Rule: A Plain-English Map
What the Security Rule at 45 CFR Part 164 Subpart C does, what the Privacy Rule at Subpart E does, where they overlap, and which rule the SRA actually answers to.
5 min readHow Often Should a Practice Conduct a HIPAA Risk Analysis?
What 45 CFR 164.308(a)(8) requires for periodic evaluation, what HHS guidance says about cadence, and the practical pattern most small practices land on.
6 min readPrivacy Rule
Technical Safeguards
HIPAA Encryption Requirements for ePHI
What the Security Rule actually says about encryption at 45 CFR 164.312(a)(2)(iv) and 164.312(e)(2)(ii), the safe harbor under the Breach Notification Rule, and what 'addressable' means in practice.
5 min readDoes HIPAA Require MFA? What the Security Rule Actually Says
Whether multi-factor authentication is required by the HIPAA Security Rule, how 45 CFR 164.312(d) frames person or entity authentication, and how HHS guidance and the proposed Security Rule update push toward MFA in practice.
5 min readTooling
The HHS SRA Tool vs Paid HIPAA Risk Analysis Options
What the free HHS/ONC Security Risk Assessment Tool actually does, where it stops, and how to evaluate paid alternatives without overpaying for what the free tool already covers.
5 min readHIPAA Risk Analysis Cost: What Small Practices Actually Pay
What a small practice can realistically expect to spend on a HIPAA Security Risk Analysis: the free HHS tool, paid software ranges, and consultant engagements, with the buyer questions that prevent overpaying.
5 min readVendors and BAAs
BAA Vendor List: Which Vendors a Small Practice Needs to Sign With
A working list of the vendor categories a small practice typically needs a Business Associate Agreement with under 45 CFR 164.504(e), plus how to handle subcontractor chains.
5 min readPractice Management and EHR Vendors: Which Offer a BAA
How a small practice identifies whether its practice management and EHR vendors offer a Business Associate Agreement, what to look for, and how the BAA fits into the broader vendor inventory required by the Security Rule.
5 min read