HIPAA Security Risk Assessment: The #1 OCR Enforcement Finding

hipaahealthcaresecurity-risk-assessmentocrcompliance April 1, 2026 2 min read

If your healthcare practice handles electronic protected health information (ePHI), the HIPAA Security Rule (45 CFR §§164.302-318) requires you to conduct a Security Risk Assessment (SRA) — and document it thoroughly.

This isn't a nice-to-have. It's the #1 finding in OCR enforcement actions, cited in 72% of settlements and corrective action plans.

What Is a HIPAA SRA?

A Security Risk Assessment is a comprehensive evaluation of:

All ePHI your organization creates, receives, maintains, or transmits
Threats and vulnerabilities to that ePHI
Current security measures in place
Risk levels for each identified threat/vulnerability pair
Remediation plans for unacceptable risks

The requirement comes from 45 CFR §164.308(a)(1)(ii)(A) — the Administrative Safeguards section of the Security Rule.

Why It's the #1 Enforcement Target

OCR enforcement data tells the story:

72% of resolution agreements cite missing or inadequate SRA
The Anthem breach settlement ($16M) — inadequate SRA was Finding #1
Banner Health ($1.25M) — no enterprise-wide SRA
Premera Blue Cross ($6.85M) — failure to conduct SRA "sufficiently"

The pattern is consistent: when OCR investigates a breach, the first thing they ask for is your SRA. If you don't have one — or it's a checkbox form from 5 years ago — you're facing a corrective action plan at minimum.

HHS's Free SRA Tool — And Its Limitations

HHS offers a free SRA Tool, but it has significant limitations:

Desktop-only Java application — no web version
No formatted report output — generates raw data, not a professional assessment
Designed for small practices — doesn't scale to multi-location organizations
No remediation plan generation — identifies risks but doesn't create action items
Annual update lag — often behind current NIST guidance

For a solo practitioner checking a box, it works. For a practice that needs to demonstrate compliance to OCR or a business associate, it falls short.

What OCR Expects in Your SRA

Based on OCR guidance and enforcement precedent:

Scope definition — all locations, systems, and business associates that touch ePHI
Asset inventory — every system that stores, processes, or transmits ePHI
Threat identification — using NIST SP 800-30 methodology
Vulnerability assessment — current gaps in the 42 HIPAA Security Rule implementation specifications
Risk rating — likelihood × impact for each threat/vulnerability pair
Risk management plan — specific remediation actions, responsible parties, timelines
Documentation — the assessment itself is proof of compliance

Annual Requirement — Not One-Time

The HIPAA Security Rule requires SRAs to be conducted regularly — OCR interprets this as at least annually and whenever significant changes occur (new EHR system, new office location, new business associate relationship).

This means compliance officers need to generate a new, dated assessment each year.

Generate Your HIPAA SRA

HIPAASRAKit generates a complete HIPAA Security Risk Assessment covering all 42 implementation specifications. Professional, formatted output ready for OCR review.

Pay per assessment. No subscription.

Don't wait for a breach investigation to discover your SRA is inadequate.

Generate Your HIPAA SRA →