Security Risk Analysis (SRA): a defensible approach for small clinics

A HIPAA Security Risk Analysis is not a survey. It is a documented, repeatable process that shows:

• what systems touch electronic PHI (ePHI)
• what could go wrong (threats and vulnerabilities)
• what safeguards exist today (with evidence)
• what you will fix next (risk management plan)

OCR expects you to be able to show your work. If you can’t produce a structured risk analysis and a remediation trail, you’re exposed.

What counts as a risk analysis (in practice)

At minimum, your risk analysis should include:

• System inventory: EHR, email, laptops, phones, servers, cloud storage, backups, network gear, third-party vendors.
• Data flow: where ePHI is created, stored, transmitted, and accessed.
• Threats: phishing, lost devices, insider misuse, misconfiguration, ransomware, vendor compromise.
• Vulnerabilities: no MFA, shared accounts, weak endpoint management, missing backups testing, unclear access provisioning.
• Existing safeguards: MFA screenshots, encryption settings, access logging, role-based access policies, training records.
• Risk rating: impact × likelihood (be consistent).
• Remediation plan: owners, due dates, and evidence of completion.

A simple scoring model that works

Pick a scale and stick to it. For example:

• Likelihood: 1 (rare) → 5 (frequent)
• Impact: 1 (low) → 5 (severe)
• Risk score = likelihood × impact

Then define thresholds (example):

• 1–6 low
• 7–12 moderate
• 13–25 high

Evidence: what actually makes it defensible

For each high-risk item, attach evidence that proves the safeguard exists (or does not exist yet). Examples:

• MFA enforcement screenshot (Google Workspace, Microsoft 365, EHR vendor)
• Encryption settings (device encryption, cloud storage encryption at rest)
• Backup configuration and restore test record
• Access logs and retention settings
• Workforce training completion list and certificate evidence

If your policy says “we enforce MFA,” your evidence must show MFA is enforced.

How often should you redo the SRA?

At least annually—and also after major changes such as:

• new EHR or vendor platform
• major network change
• staff growth, new locations
• a security incident or near-miss
• moving email/storage providers

What clinic owners should do next

1. Build your inventory of systems and vendors touching ePHI.
2. Identify your top 10 risks and attach evidence to each.
3. Create a remediation plan with clear owners and deadlines.
4. Track completion with proof (screenshots, logs, vendor confirmations).

This is how compliance becomes defensible.