Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Is a Security Risk Analysis (SRA) Required?

Yes. Under the HIPAA Security Rule, a Security Risk Analysis (SRA) is required for covered entities and business associates who handle electronic protected health information (ePHI).

Is a Security Risk Analysis (SRA) Required?

Yes.

The HIPAA Security Rule (45 CFR § 164.308(a)(1)(ii)(A)) requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to electronic protected health information (ePHI).

This assessment is known as a Security Risk Analysis (SRA).

If your organization creates, receives, maintains, or transmits ePHI, an SRA is not optional — it is a federal requirement.

Who Must Complete an SRA?

An SRA is required for:

  • Healthcare providers who bill electronically

  • Health plans

  • Healthcare clearinghouses

  • Business Associates handling ePHI

  • Vendors with access to electronic patient data

If you store patient information in an EHR, billing system, cloud platform, email system, or server you must conduct an SRA.

What Does an SRA Evaluate?

A proper Security Risk Analysis examines:

  • Where ePHI is stored

  • How it is accessed

  • Who has access

  • Potential threats (internal and external)

  • System vulnerabilities

  • Existing safeguards

  • Likelihood of risk occurrence

  • Potential impact of risk

  • Required mitigation steps

It is both a technical and administrative review.

How Often Must It Be Done?

HIPAA does not specify a strict timeline. However, regulatory guidance and enforcement history indicate that organizations should:

  • Conduct an SRA at least annually

  • Update it when major operational or technical changes occur

    • New EHR system

    • New location

    • Merger or acquisition

    • Ransomware incident

    • Significant staffing changes

Failure to update an outdated SRA is one of the most common compliance findings in enforcement actions.

Is Completing the SRA Enough?

No.

An SRA is only the first step.

HIPAA also requires:

  • A written Risk Management Plan

  • Implementation of mitigation strategies

  • Documentation of corrective actions

  • Ongoing monitoring of security measures

An SRA without documented risk management is considered incomplete.

Why This Requirement Matters

The Office for Civil Rights (OCR) consistently cites failure to conduct a proper SRA as a primary reason for large HIPAA fines.

Common enforcement findings include:

  • No documented SRA

  • An SRA that was never updated

  • A checklist instead of a true risk assessment

  • No follow-up risk mitigation

In many enforcement cases, the absence of a proper SRA significantly increased penalty amounts.

What Happens If You Don’t Have One?

If audited or investigated, regulators may request:

  • Your most recent SRA

  • Documentation of identified risks

  • Proof of mitigation efforts

  • Evidence of ongoing monitoring

If you cannot provide this documentation, it may be considered willful neglect.

Key Takeaway

If your organization handles electronic protected health information in any capacity, a Security Risk Analysis is required under federal law.

It must be:

  • Thorough

  • Documented

  • Updated

  • Followed by risk management

Compliance is not a one-time form, it is an ongoing process.

Unsure when your last SRA was completed?
Review your documentation and ensure it reflects your current systems and operations.

Last reviewed: January 2026