The HIPAA Requirement Most Practices Get Wrong Is the First One

The security risk analysis is HIPAA’s foundational requirement and its most-cited failure. What a compliant risk analysis actually contains, and how small practices get it right.

Ask a healthcare practice whether it is HIPAA compliant and the answer usually references the visible artifacts: the notice of privacy practices, the training video, the business associate agreements, maybe an encrypted email product. Ask the Office for Civil Rights what organizations get wrong, and the answer has been consistent across a decade of enforcement: the security risk analysis. It is the foundational requirement of the Security Rule, the first thing investigators request after a breach, and among the most commonly absent or inadequate elements cited in resolution agreements.

What the rule actually requires

The Security Rule requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information the organization creates, receives, maintains, or transmits. Every clause of that sentence does work. Accurate and thorough means the analysis reflects your actual environment, not a template’s. All ePHI means everywhere it lives: the EHR, yes, but also email, texting, imaging systems, billing platforms, laptops, phones, backups, and the business associates holding copies. And the requirement is ongoing: a risk analysis from five systems and two office moves ago does not describe the organization that exists today.

What a real risk analysis contains

  • An ePHI inventory: every system, device, and vendor relationship where ePHI is created, received, maintained, or transmitted. Most practices are surprised by their own list.
  • Threats and vulnerabilities identified against that inventory: technical, physical, and human, from ransomware and credential theft to the unlocked records room and the departed employee whose access survived them.
  • An assessment of current controls, honestly stated.
  • Likelihood and impact ratings that reflect the practice’s real circumstances.
  • A risk determination and a documented remediation plan with owners and dates, because the companion requirement, risk management, obligates you to actually reduce the risks you found.

Why small practices fail it

Rarely from indifference. The common failure modes are inheritance and checkbox tooling: an analysis inherited from a predecessor or an EHR vendor that covered the vendor’s product and nothing else, or a generic online checklist that produced a score without an inventory. Both fail the accurate-and-thorough test the moment an investigator compares the document to the environment. And the trigger is rarely an audit; it is a breach. A stolen laptop, a phishing incident, a misdirected records release, and the first document request that follows is the risk analysis. Its absence converts an unfortunate incident into a compliance failure with penalties attached.

Getting it right at practice scale

A compliant risk analysis for a small or mid-size practice is genuinely achievable: inventory first, threats against the inventory, controls honestly assessed, risks ranked by real-world consequence, and a remediation plan the practice can execute. Scaled correctly, it is days of structured work, not months, and it does double duty: the same analysis satisfies cyber insurance applications and the security questionnaires that hospital systems and payers increasingly send. The practices that struggle are the ones that treat it as a document to obtain rather than an exercise to perform.

Daytol conducts HIPAA security risk analyses for practices and business associates, sized to the organization and built to survive an OCR document request. If yours predates your current systems, it is due.

more insights

Your SPRS Score Is Probably Wrong, and That Matters More Than It Used To

How the NIST 800-171 self-assessment scoring methodology works, why most SPRS scores are inflated, and how to fix yours before a prime or assessor checks.

Every defense contractor handling Controlled Unclassified Information has, somewhere in the Supplier Performance Risk System, a number between negative 203 and positive 110. That number is the organization’s self-assessed posture against NIST SP 800-171, and for years it functioned as paperwork: submitted once, rarely revisited, almost never checked

Read more >