If you run a small medical practice, dental office, therapy group, or any covered entity or business associate under HIPAA, you're required to conduct an annual Security Risk Assessment (SRA). It's in the HIPAA Security Rule — specifically 45 CFR § 164.308(a)(1)(ii)(A). But a lot of practices either skip it entirely, pay someone a few hundred dollars for a template PDF, or treat it as a box to check when malpractice insurance asks.
None of those are what HHS means when they ask for an SRA — and the difference matters when a breach notification or OCR audit happens. This post explains what an SRA actually is, what a credible one looks like, and the shortest path to a compliant version for a small practice.
What the HIPAA Security Rule actually requires
The regulation requires that every covered entity and business associate "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity." That's the whole sentence. What makes it specific is the HHS guidance on what "accurate and thorough" means.
The Office for Civil Rights' risk-analysis guidance lists the elements your SRA should cover. In plain English:
- Scope. Identify every form of ePHI — where it lives, how it moves, who touches it.
- Threats and vulnerabilities. What realistic bad things could happen to that data, and what weaknesses in your environment make those things more likely?
- Current controls. What are you already doing to reduce those risks?
- Likelihood and impact. For each risk, how likely is it, and how bad if it happens?
- Risk determination. Is the remaining (residual) risk acceptable or does it need additional controls?
- Documentation. Write it down. In an auditable form.
- Review and update. Not a one-time event — an ongoing process.
What a credible SRA for a small practice looks like
For a five-provider practice with ePHI in an EHR, a handful of cloud services, and maybe a legacy on-prem server, a credible SRA is roughly 15–30 pages. It includes:
- An asset inventory — every system that stores, processes, or transmits ePHI.
- A data-flow diagram — where PHI enters the practice, where it's stored, who has access, where it leaves.
- A threat enumeration — ransomware, insider access, lost device, phishing-driven account takeover, vendor breach, physical break-in, natural disaster, at minimum.
- A vulnerability walkthrough — what controls you have in place for each threat (MFA on the EHR portal, encryption at rest, access logs, etc.) and where the gaps are.
- A risk register — each identified risk, likelihood/impact rating, treatment decision (accept / mitigate / transfer), and named owner.
- A remediation plan — for risks you chose to mitigate, what you're doing about them and by when.
The HHS SRA Tool: legitimate starting point, not a finish line
HHS publishes the HHS SRA Tool — a free downloadable Windows/Mac application that walks you through questions and produces a report. It's a legitimate tool and the HHS-published answer to "what does a compliant SRA look like for a small practice?"
That said — the tool only works if you answer honestly. Most failed SRAs aren't failed because the tool was wrong; they're failed because someone clicked "yes" to "do you have MFA on all access to ePHI" when they don't, and the document becomes a statement of the practice you wish you had rather than the one you actually have.
What OCR actually looks at in an audit
When OCR investigates a breach, they frequently ask to see the most recent risk assessment. The three most common deficiencies they cite, based on published resolution agreements:
- The practice had no risk assessment at all.
- The risk assessment was conducted once, years ago, and never updated.
- The risk assessment was generic — it didn't actually evaluate the practice's specific environment.
A credible SRA — one that's updated annually, reflects your actual environment, and has a risk register with ongoing remediation — is the strongest posture defense you can present when something goes wrong. A template PDF someone sold you in 2022 is not.
Where we come in
Gravity Networks runs SRAs for small and mid-size medical practices across Utah and Tennessee — either as a one-time engagement or as part of an ongoing managed compliance arrangement. We use the HHS SRA Tool as the framework, build the data-flow diagrams, interview the clinical and admin staff who touch PHI, and deliver a document that's auditable without being bloated. If last year's SRA was a PDF someone sold your office manager at a conference, let's talk about doing the real one.