HIPAA Risk Analysis for a Primary Care Practice
5 min read · Last reviewed May 22, 2026
Primary care is the default OCR audit target
The Security Rule at 45 CFR 164.308(a)(1)(ii)(A)(1)(ii)(A)) requires every covered entity to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Primary care practices are the canonical small-provider covered entity, and they are the practices most often cited in OCR's published Resolution Agreements for missing or stale risk analyses.
The HHS Office for Civil Rights spells out what the analysis must contain in its Guidance on Risk Analysis Requirements under the HIPAA Security Rule. The guidance is specialty-neutral by design; primary care does not get a softer version.
What ePHI a primary care practice actually holds
A defensible risk analysis starts with an honest inventory. For a typical primary care practice that means:
- Certified electronic health record (Athena, eClinicalWorks, Epic-on-the-cloud, Practice Fusion, NextGen, Elation, Cerner-Oracle Health, AdvancedMD)
- Patient portal and secure messaging
- E-prescribing and EPCS infrastructure
- Lab and radiology interfaces (Quest, LabCorp, Hospital connect, Care Everywhere)
- Eligibility and claims clearinghouse
- Patient communication and recall tools (text reminders, automated outreach)
- Remote patient monitoring devices and the cloud platforms they sync to
- Telehealth platform (Doxy.me, Zoom for Healthcare, EHR-integrated video)
- Population health and quality reporting registries (MIPS submitters, ACO data feeds)
- Billing service, RCM contractor, coding contractor
- Email, shared drives, scanning, and faxing systems
- Personal mobile devices used for after-hours messages, on-call, photos
Every entry should map to a system owner, a data flow description, an access list, and a Business Associate Agreement reference under 45 CFR 164.504(e)) where the relationship is with a non-workforce vendor.
Threat scenarios primary care should evaluate
OCR's audit protocol expects the analysis to consider reasonably anticipated threats. For a primary care practice the list usually includes:
- Phishing emails that deliver credential-stealing malware to front-desk or biller inboxes
- Ransomware affecting the EHR or the file server holding scanned records
- Stolen or lost laptops used by visiting providers or moonlighting attendings
- Unencrypted backups carried offsite by a partner or kept on home drives
- Workforce members continuing to access systems after termination
- Personal-device photos of patient records sent over consumer messaging apps
- Family-member account abuse on shared computers in the workroom
- Telehealth sessions conducted from public or shared networks without MFA
- EHR vendor breach affecting practice records
- RCM/billing service breach exposing claims data
- Insider snooping (a workforce member looking at a colleague's chart, a celebrity chart, a spouse's chart)
Each scenario should get a likelihood and impact rating and a corresponding safeguard. NIST SP 800-30 is the standard reference for the rating method, and NIST SP 800-66 r2 walks small providers through applying it to HIPAA.
Mapping to Security Rule safeguards
The analysis output must demonstrate coverage of:
- Administrative safeguards at 164.308 — including the Security Management Process (risk analysis, risk management, sanction policy, information system activity review), Assigned Security Responsibility, Workforce Security, Information Access Management, Security Awareness and Training, Security Incident Procedures, Contingency Plan, Evaluation, and Business Associate Contracts.
- Physical safeguards at 164.310 — Facility Access Controls, Workstation Use, Workstation Security, Device and Media Controls.
- Technical safeguards at 164.312 — Access Control, Audit Controls, Integrity, Person or Entity Authentication, Transmission Security.
The audit protocol uses the exact citation structure above, so the risk analysis is easier to defend if its sections match.
Telehealth, RPM, and AI tools deserve their own paragraph
OCR's December 2022 guidance on telehealth and HHS's HIPAA and Cybersecurity Authorizations push primary care to address connected devices, AI scribes, and remote monitoring inside the SRA. Treat each of those as its own system in the inventory: vendor, BAA status, data flow, retention, breach response path.
Re-evaluation cadence
Section 164.308(a)(8)(8)) requires periodic technical and nontechnical evaluation in response to environmental or operational changes. The OCR guidance is explicit that the risk analysis is not a one-time exercise. The practical pattern most primary care practices land on is an annual full refresh plus an event-triggered review whenever a major system, vendor, or workflow changes (new EHR module, new RPM device, new billing service, breach, OCR audit letter, payer BAA request).
What to document
A defensible primary care SRA package contains:
- A dated ePHI inventory and scope statement
- A threat and vulnerability list with likelihood and impact ratings
- A safeguard inventory mapped to each Security Rule standard
- A risk register with residual risk and a remediation plan
- Decisions on each addressable specification with reasoning
- A signed approval by the Security Official under 164.308(a)(2)(2))
- A re-evaluation schedule
The package is what OCR asks for in an audit, and it is what payers increasingly ask for when issuing a Business Associate Agreement to a small practice acting in a hybrid role.
How D3rx supports this
D3rx SRA Binder Studio is a documentation aid built for small primary care practices working through this on their own. It walks each Security Rule specification in plain English, organizes the resulting evidence into a binder, and links every answer back to the underlying HHS, OCR, eCFR, or NIST source. It is a point-in-time assessment aid; the practice remains responsible for the substance.
Next steps
See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.
Where do you stand on your SRA today?
Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR 164.308(a)(1)(ii)(A)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
- Resolution Agreementshttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
- Guidance on Risk Analysis Requirements under the HIPAA Security Rulehttps://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
- 45 CFR 164.504(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504#p-164.504(e
- SP 800-30https://csrc.nist.gov/pubs/sp/800/30/r1/final
- SP 800-66 r2https://csrc.nist.gov/pubs/sp/800/66/r2/final
- 164.308https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
- 164.310https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310
- 164.312https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312
- guidance on telehealthhttps://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html
- HIPAA and Cybersecurity Authorizationshttps://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-cybersecurity/index.html
Sources verified as of May 22, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
HIPAA Risk Analysis for a Dental Practice
5 min readBy SpecialtyHIPAA Risk Analysis for a Mental Health Practice
5 min readFoundationsHow Often Should a Practice Conduct a HIPAA Risk Analysis?
6 min readFoundationsCMS Promoting Interoperability and the Security Risk Analysis Attestation
5 min readRelated across the archive
- SRAHIPAA Risk Analysis for a Dental PracticeHow a small dental practice approaches the HIPAA Security Risk Analysis required by 45 CFR 164.308(a)(1)(ii)(A), with practical scope, ePHI flows, and Security Rule references.
- SRAHIPAA Risk Analysis for a Mental Health PracticeWhat therapists, psychologists, and psychiatry practices need in a HIPAA Security Risk Analysis, including the psychotherapy notes carve-out at 45 CFR 164.501 and 164.508(a)(2).
- SRAHow Often Should a Practice Conduct a HIPAA Risk Analysis?What 45 CFR 164.308(a)(8) requires for periodic evaluation, what HHS guidance says about cadence, and the practical pattern most small practices land on.
- SRACMS Promoting Interoperability and the Security Risk Analysis AttestationHow the CMS Promoting Interoperability program (formerly Meaningful Use) requires a HIPAA Security Risk Analysis for each EHR reporting period, what the attestation actually claims, and how CMS audits it after the fact.
- SRAHIPAA Risk Analysis for a Physical Therapy PracticeWhat an outpatient physical therapy clinic owes under 45 CFR 164.308(a)(1)(ii)(A), with the ePHI workflows specific to PT, OT, and rehab settings.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- GlossaryAccess ControlsTechnical policies and procedures that allow only authorized persons or software programs to access ePHI.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.