By Specialty

HIPAA Risk Analysis for a Primary Care Practice

5 min read · Last reviewed May 22, 2026

Primary care is the default OCR audit target

The Security Rule at 45 CFR 164.308(a)(1)(ii)(A)(1)(ii)(A)) requires every covered entity to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Primary care practices are the canonical small-provider covered entity, and they are the practices most often cited in OCR's published Resolution Agreements for missing or stale risk analyses.

The HHS Office for Civil Rights spells out what the analysis must contain in its Guidance on Risk Analysis Requirements under the HIPAA Security Rule. The guidance is specialty-neutral by design; primary care does not get a softer version.

What ePHI a primary care practice actually holds

A defensible risk analysis starts with an honest inventory. For a typical primary care practice that means:

  • Certified electronic health record (Athena, eClinicalWorks, Epic-on-the-cloud, Practice Fusion, NextGen, Elation, Cerner-Oracle Health, AdvancedMD)
  • Patient portal and secure messaging
  • E-prescribing and EPCS infrastructure
  • Lab and radiology interfaces (Quest, LabCorp, Hospital connect, Care Everywhere)
  • Eligibility and claims clearinghouse
  • Patient communication and recall tools (text reminders, automated outreach)
  • Remote patient monitoring devices and the cloud platforms they sync to
  • Telehealth platform (Doxy.me, Zoom for Healthcare, EHR-integrated video)
  • Population health and quality reporting registries (MIPS submitters, ACO data feeds)
  • Billing service, RCM contractor, coding contractor
  • Email, shared drives, scanning, and faxing systems
  • Personal mobile devices used for after-hours messages, on-call, photos

Every entry should map to a system owner, a data flow description, an access list, and a Business Associate Agreement reference under 45 CFR 164.504(e)) where the relationship is with a non-workforce vendor.

Threat scenarios primary care should evaluate

OCR's audit protocol expects the analysis to consider reasonably anticipated threats. For a primary care practice the list usually includes:

  • Phishing emails that deliver credential-stealing malware to front-desk or biller inboxes
  • Ransomware affecting the EHR or the file server holding scanned records
  • Stolen or lost laptops used by visiting providers or moonlighting attendings
  • Unencrypted backups carried offsite by a partner or kept on home drives
  • Workforce members continuing to access systems after termination
  • Personal-device photos of patient records sent over consumer messaging apps
  • Family-member account abuse on shared computers in the workroom
  • Telehealth sessions conducted from public or shared networks without MFA
  • EHR vendor breach affecting practice records
  • RCM/billing service breach exposing claims data
  • Insider snooping (a workforce member looking at a colleague's chart, a celebrity chart, a spouse's chart)

Each scenario should get a likelihood and impact rating and a corresponding safeguard. NIST SP 800-30 is the standard reference for the rating method, and NIST SP 800-66 r2 walks small providers through applying it to HIPAA.

Mapping to Security Rule safeguards

The analysis output must demonstrate coverage of:

The audit protocol uses the exact citation structure above, so the risk analysis is easier to defend if its sections match.

Telehealth, RPM, and AI tools deserve their own paragraph

OCR's December 2022 guidance on telehealth and HHS's HIPAA and Cybersecurity Authorizations push primary care to address connected devices, AI scribes, and remote monitoring inside the SRA. Treat each of those as its own system in the inventory: vendor, BAA status, data flow, retention, breach response path.

Re-evaluation cadence

Section 164.308(a)(8)(8)) requires periodic technical and nontechnical evaluation in response to environmental or operational changes. The OCR guidance is explicit that the risk analysis is not a one-time exercise. The practical pattern most primary care practices land on is an annual full refresh plus an event-triggered review whenever a major system, vendor, or workflow changes (new EHR module, new RPM device, new billing service, breach, OCR audit letter, payer BAA request).

What to document

A defensible primary care SRA package contains:

  • A dated ePHI inventory and scope statement
  • A threat and vulnerability list with likelihood and impact ratings
  • A safeguard inventory mapped to each Security Rule standard
  • A risk register with residual risk and a remediation plan
  • Decisions on each addressable specification with reasoning
  • A signed approval by the Security Official under 164.308(a)(2)(2))
  • A re-evaluation schedule

The package is what OCR asks for in an audit, and it is what payers increasingly ask for when issuing a Business Associate Agreement to a small practice acting in a hybrid role.

How D3rx supports this

D3rx SRA Binder Studio is a documentation aid built for small primary care practices working through this on their own. It walks each Security Rule specification in plain English, organizes the resulting evidence into a binder, and links every answer back to the underlying HHS, OCR, eCFR, or NIST source. It is a point-in-time assessment aid; the practice remains responsible for the substance.

Next steps

See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.

Where do you stand on your SRA today?

Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR 164.308(a)(1)(ii)(A)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
  2. Resolution Agreementshttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
  3. Guidance on Risk Analysis Requirements under the HIPAA Security Rulehttps://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
  4. 45 CFR 164.504(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504#p-164.504(e
  5. SP 800-30https://csrc.nist.gov/pubs/sp/800/30/r1/final
  6. SP 800-66 r2https://csrc.nist.gov/pubs/sp/800/66/r2/final
  7. 164.308https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
  8. 164.310https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310
  9. 164.312https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312
  10. guidance on telehealthhttps://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html
  11. HIPAA and Cybersecurity Authorizationshttps://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-cybersecurity/index.html

Sources verified as of May 22, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides