The requirement

The HIPAA Security Rule (45 CFR §164.308(a)(1)(ii)(A)) requires every covered entity — including small medical, dental, and optometry practices — to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of electronic protected health information (ePHI). Business associates carry the same duty.

There is no small-practice exemption. Enforcement actions routinely cite a missing or inadequate risk assessment as the first finding.

What a real SRA covers

  • An ePHI inventory — everywhere patient data lives: the EHR, but also email, imaging systems, local servers, laptops, phones, backups, and vendor systems.
  • Threats and vulnerabilities for each location — ransomware, lost devices, departed employees with lingering access, unpatched systems.
  • Current safeguards and an honest evaluation of whether they work.
  • Likelihood and impact ratings that turn the list into priorities.
  • Documentation — the analysis, the decisions, and the follow-up plan. An assessment that exists only in someone’s head does not exist.

How often

At least annually, and after any significant change — new EHR, new location, new imaging system, a security incident. The most common failure mode is the one-time PDF: an SRA done years ago for a meaningful-use attestation and never touched since.

Where small practices go wrong

  1. EHR-only scope. The EHR vendor’s security covers the EHR. Most breaches start in email or on a laptop — inside your responsibility, outside their scope.
  2. No remediation trail. An SRA that identifies risks nobody then fixes is evidence against you, not for you.
  3. Nobody owns it. Without a named owner and a calendar, the refresh never happens.

HHS offers a free SRA tool that walks through the questions — a reasonable starting point, though it can’t verify that your answers match your actual configuration.

How Z1 helps

We run the SRA as part of every healthcare engagement — scoped to your whole environment, not just the EHR — and refresh it on schedule, with the remediation work and the evidence trail attached. Your practice gets a current assessment plus quarterly proof that the safeguards it prescribes are still in place.

The free gap analysis is the short version: 30 minutes to see where your practice stands against both HIPAA basics and your cyber-insurance application.