When Did You Last Complete Your Security Risk Assessment?

The Security Risk Assessment (SRA) is consistently the most common HIPAA compliance gap for healthcare offices. Not only when it’s skipped entirely, but because the SRA requirement is often treated as a one-time activity, rather than an ongoing process. 

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) takes this seriously. In October 2024, HHS launched its Risk Analysis Initiative — an enforcement effort specifically targeting noncompliance with the SRA requirement. Since then, OCR has issued multiple settlements, and the enforcement pace is picking up, not slowing down.

HIPAA requires covered entities to conduct a risk assessment of their electronic protected health information (45 CFR §164.308(a)(1)). A proper SRA should reflect how your practice actually operates today — the technology you use, how data moves through your office, who has access, and where the gaps are. The goal isn't perfection. It's having a current, documented picture of your security environment and a plan to address what you find.

If your last SRA didn't address those things, or if it's been more than 12 months, it's time to revisit it. 

The ComplyBetter SRA tool walks you through the process question by question, then in just moments generates a formatted report specific to your practice. This tool, and all other ComplyBetter tools and features, are included in our all-in-one annual membership at no extra cost.

Get started with ComplyBetter today. Have questions? Contact our team or book a demo to learn more!