Foundations

How Often Should a Practice Conduct a HIPAA Risk Analysis?

6 min read · Last reviewed May 22, 2026

The Security Rule does not say "annually"

A common misconception: the Security Rule requires an annual risk analysis. It does not say that.

45 CFR 164.308(a)(8)(8)) — the Evaluation standard — requires periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of ePHI, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.

164.308(a)(1)(ii)(A)(1)(ii)(A)) — the Risk Analysis specification — requires an accurate and thorough assessment of the potential risks and vulnerabilities. It does not name a cadence.

HHS's Guidance on Risk Analysis is explicit: Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.

So the rule is "ongoing" and "periodic" — not "annual." Annual is the convention, not the regulation.

Why "annual" became the convention

Several forces converged to make annual the default:

  • CMS Promoting Interoperability: providers attesting to the Security Risk Analysis measure must conduct or review the analysis for each EHR reporting period (a calendar year for most). See the CMS Security Risk Analysis tipsheet.
  • Payer requirements: many payer BAAs require an annual SRA.
  • Cyber insurance: most cyber-insurance applications ask whether a risk analysis was conducted in the last 12 months.
  • Operational rhythm: practices that align annual reviews to their fiscal year produce a clean audit trail.

The defensible cadence

A defensible pattern that satisfies the rule, supports payer and CMS expectations, and produces clear documentation:

  • Annual full refresh: a complete re-walk of the risk analysis. Same scope, current threat landscape, fresh evidence.
  • Event-triggered refresh: a delta review whenever one of the following occurs:
  • New EHR or major EHR module
  • New practice management system
  • New telehealth, RPM, or AI scribe vendor
  • New clinical site, satellite, or merger
  • Material workforce change (new Security Official, significant staffing change)
  • Breach incident or near miss
  • OCR audit or investigation letter
  • Material regulatory change (e.g., Security Rule update finalized)
  • Cyber insurance carrier change

The annual full refresh produces the dated, signed document. The event-triggered refreshes update specific sections without re-doing the whole binder.

What "refresh" actually means

A full refresh is not starting over from scratch. It is:

  • Re-walking the ePHI inventory and confirming it matches today's reality
  • Re-walking the data flow
  • Adding any new vendors and removing any retired ones
  • Re-rating threats given the past year's events (industry incidents, near misses, audit findings, OCR newsletters)
  • Updating the safeguard inventory with anything actually deployed during the year
  • Re-evaluating addressable-specification decisions
  • Carrying forward open items from last year's risk register
  • Updating residual risks and the remediation plan
  • Refreshing training records, sanction log, BAA log, breach log
  • Re-signing by the Security Official

A practice that maintains last year's binder can do a refresh in days, not weeks. A practice that did not document last year typically has to substantially redo the work.

What CMS Promoting Interoperability actually requires

For eligible clinicians and eligible hospitals participating in CMS Promoting Interoperability (formerly Meaningful Use), the Security Risk Analysis measure requires the SRA to be conducted or reviewed for each EHR reporting period. The CMS tipsheet on the SRA measure explains the attestation in detail.

CMS audits Promoting Interoperability attestations after the fact. The audit asks for the dated risk analysis covering the relevant reporting period. A missing or stale analysis can result in repayment demands and exclusion from the program.

Documentation cadence beyond the SRA itself

Several supporting elements have their own cadence even if the master SRA is annual:

  • Information system activity review under 164.308(a)(1)(ii)(D)(1)(ii)(D)) is regular; many practices do a monthly or quarterly log review.
  • Security awareness updates under 164.308(a)(5)(ii)(A)(5)(ii)(A)) are periodic; monthly reminders are a common pattern.
  • Contingency plan testing under 164.308(a)(7)(ii)(D)(7)(ii)(D)) is annual at most practices, often tied to the SRA refresh.
  • Policy and procedure review under 164.316(b)(2)(iii)(2)(iii)) is annual at most practices, with event-triggered reviews.

What about quarterly or continuous?

Larger entities sometimes run continuous control monitoring or quarterly mini-assessments. Most small practices do not need that cadence. The Security Rule does not require it; the practical limit is staff time. A small practice that maintains a current annual SRA plus event-triggered refreshes is meeting the rule.

What "out of date" looks like

A risk analysis becomes stale when:

  • The practice has added a new system not in the analysis
  • A vendor has changed and the BAA log does not reflect it
  • A breach or near miss has occurred without being reflected
  • The threat landscape has shifted (e.g., post-Change Healthcare, clearinghouse risk is no longer abstract)
  • The Security Official has changed and the new signature is missing
  • The supporting policies have been updated but the SRA still references the old versions

OCR's published Resolution Agreements include language like "the entity's risk analysis was last conducted in [year], multiple years prior to the breach." That phrase is the canonical staleness finding.

Restraint about claims

No vendor or consultant can certify that an SRA cadence will satisfy every possible audit. The regulation is "ongoing" and "periodic." Annual plus event-triggered refreshes is a defensible pattern and the de facto industry standard; the practice should follow it consistently and document the work.

How D3rx fits

D3rx SRA Binder Studio retains last year's binder so the annual refresh is a delta exercise rather than a restart. It surfaces material-change events as separate refresh triggers and timestamps every section so staleness is visible. It is a point-in-time administrative documentation aid; the practice remains responsible for actually running the cadence.

Next steps

See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.

Where do you stand on your SRA today?

Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR 164.308(a)(8)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
  2. Guidance on Risk Analysishttps://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
  3. CMS Security Risk Analysis tipsheethttps://www.cms.gov/regulations-guidance/promoting-interoperability/2024-medicare-promoting-interoperability-program-resources/security-risk-analysis-tipsheet
  4. 164.316(b)(2)(iii)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316#p-164.316(b

Sources verified as of May 22, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides