Don’t take your annual security risk analysis (SRA) lightly. Too much depends on the security of your practice and your patients.

An SRA evaluates your risks and vulnerabilities, including security measures to protect patients’ protected health information (PHI). SRAs evaluate a wide range of technical, administrative and physical safeguards.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires your organization and each of your business associates to conduct or review an SRA on an annual basis. The rule applies to all electronic patient health information (ePHI) that is created, received, maintained or transmitted on behalf of a provider or facility.

Here’s why SRAs are important:

Audits, random compliance reviews and complaint investigations depend upon a current and comprehensive SRA.

SRAs that are not current or complete or that your staff does not comply with could cost you a substantial amount of reimbursements and fines.

SRA problems can leave your patients’ PHI vulnerable to HIPAA breaches. SRAs can identify potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI, which can help prevent data breaches.

Completing an SRA and correcting deficiencies is a core requirement of many incentive and quality improvement programs, including the electronic health record (EHR) Meaningful Use incentive payment program and the Quality Payment Program Merit-Based Incentive Payment System. A deficient SRA is the primary reason organizations fail EHR audits. 

  • SRA documentation is required if the Department of Health and Human Services Office of Civil Rights (OCR), audits your practice. If you cannot produce documentation of a current and complete SRA, OCR will impose a fine for that alone. If the audit identifies a potential HIPAA data breach or other compliance issue, flaws in your SRA add to the civil penalty amount, even if the breach was unrelated to your SRA. 

If the OCR audits or investigates your practice, you must submit a tremendous amount of detailed documentation, including: 

  • Policies, procedures and evidence of security efforts 
  • Proof of prevention, detection, containment and correction of security violations 
  • Authentication methods for authorized PHI users 
  • Business associate agreements 
  • Details about encryption, decryption and destruction of PHI 

If your IT staff has the necessary expertise and experience, they can conduct an annual SRA with readily available, free SRA tools from the OCR. However, a comprehensive SRA is complex and requires extensive knowledge of HIPAA rules and the ever-evolving information security technologies. Using external assistance can be worth the cost. 

SRA specialists can save time, money and reduce the chances of missing a potential vulnerability. SRA specialists minimize intrusion on day-to-day operations without diverting both administrative and IT staff from critical support functions. 

AFMC offers comprehensive SRAs under the HIPAA Security Rule as a paid service. SRAs can be conducted on-site or virtually. AFMC staff is highly experienced and has in-depth knowledge of HIPAA compliance standards and SRA requirements. For nearly 20 years, AFMC has successfully helped practices and providers complete their SRAs. For more information about SRAs, visit