If you create, receive, maintain, or transmit ePHI, you must perform and document a HIPAA Security Risk Analysis (SRA) and keep it current as systems and risks change. This guide gives you a 10‑step checklist, a free SRA template (Excel), and a companion POA&M worksheet so you can prioritize remediation, track progress, and defend your program during an audit or investigation.

Healthcare & BA expertsFlorida & Michigan presence50+ programs delivered

Before You Start: Define Scope

• Identify where ePHI lives and moves. Catalog EHRs, data warehouses, analytics tools, backups, SaaS, endpoints, and third‑party processors.
• Map data flows. Note inbound sources, integrations, and outbound destinations.
• List your vendors and BAAs. Confirm business associate agreements are executed and current; record security attestations and breach‑notification SLAs.
• Confirm your evaluation period. Reassess at least annually and upon material change.

Use the Asset Inventory, ePHI Systems & Flows, and Vendors & BAAs sheets in the template to capture this quickly.

The 10‑Step HIPAA SRA Checklist

1. Build an asset inventory. Track systems, owners, locations, encryption status, backups, and MFA coverage.
2. Document ePHI data flows. Show how ePHI enters, moves, and leaves systems; list authentication and access models.
3. Identify credible threats. Ransomware, credential attacks, insider misuse, misconfiguration, third‑party breach, etc.
4. Identify vulnerabilities. Patching, MFA gaps, excessive privilege, logging/retention, backup testing.
5. Define risk scenarios. Combine asset + threat + vulnerability (e.g., ransomware on unpatched EHR app server).
6. Score likelihood and impact (1–5). Use a consistent scale; Risk Score = L × I.
7. Document existing controls. Preventive, detective, corrective; map to HIPAA/NIST/CIS.
8. Propose safeguards & residual risk. List planned safeguards and estimate residual scores.
9. Prioritize into a POA&M. Assign owners, target dates, milestones, and budget estimates.
10. Review and sign off. Security review, executive approval, and board visibility.

What Evidence OCR Commonly Asks For

• The risk analysis itself (scope, method, assets, threats/vulns, scoring)
• Policies & procedures (access control, encryption, incident response, backup/DR)
• Logs and monitoring (SIEM coverage & retention)
• BAAs and vendor security attestations
• POA&M with statuses and target dates
• Training records and sanction policy

Keep an Evidence Log with links/paths to artifacts so you are audit‑ready on day one.

When to Add Technical Validation

• Penetration Testing to validate attack paths to ePHI and test MFA & logging.
• Cloud Security Review of IAM, network controls, storage encryption, and logging.
• vCISO Oversight to operationalize governance, metrics, and board reporting.

From SRA to Results in 30 Days

1. Week 1: Complete inventory, flows, vendor list; kick off scans and config reviews.
2. Week 2: Draft risk scenarios; score top 20 by exposure to ePHI.
3. Week 3: Confirm existing controls; finalize safeguards; build the POA&M.
4. Week 4: Executive review and sign‑off; schedule monthly POA&M check‑ins and quarterly metrics.

Common Pitfalls That Trigger Findings

• Scope limited to one system (not enterprise‑wide)
• Missing BAAs for data‑handling vendors
• MFA not enforced for privileged or remote access
• Backups untested; no offline/immutable copy
• Logging gaps or short retention
• Access not reviewed; former users still provisioned
• No formal POA&M or missed target dates

Get the SRA + POA&M Template (Free)

Fill out the short form below to receive instant access to the HIPAA SRA Template and companion POA&M worksheet. We’ll also email you the links for safekeeping. Please do not include PHI in this form.

FAQ