What is a Security Risk Assessment (SRA)?

Modified on Tue, 13 Jun, 2023 at 8:56 AM

The HIPAA Security Rule contains a series of standards to ensure the protection of electronic protected health information.  These standards fall into one of three categories: administrative safeguards, physical safeguards, and technical safeguards. One administrative standard is known as the security management process standard. This standard requires covered entities and business associates to “Implement policies and procedures to prevent, detect, contain, and correct security violations.”  To implement this standard, an entity must perform a security risk analysis, which is also referred to as a security risk assessment. A security risk analysis (SRAA) is “....an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by a covered entity or business associate.


What is the Purpose of a Security Risk Analysis?

The Security Rule’s administrative safeguards requirements are designed to ensure the  protection of the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format. To account for changes in business practices and changes in the law, organizations should continuously conduct an SRA.  According to guidance provided by the Department of Health and Human Services, “The risk analysis process should be ongoing. In order for an entity to update and

document its security measures “as needed,” which the Rule requires, it should conduct

continuous risk analysis to identify when updates are needed.” The guidance further states that “A truly integrated risk analysis and management process is performed as new

technologies and business operations are planned, thus reducing the effort required to

address risks identified after implementation.”


What is the Scope of a Security Risk Analysis?

According to guidance issued by the Department of Health and Human Services (HHS), the scope of a risk analysis that the Security Rule encompasses, includes potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization:

  1. Creates;

  2. Receives;

  3. Maintains; or

  4. Transmits


The analysis must assess risks to ePHI in all forms of electronic media. Types of electronic media include hard drives, zip drives, flash drives, SD cards, laptops, smartphones, and other devices on which ePHI is stored or can be accessed.  An SRA must take into account all ePHI, regardless of the medium in which it was created, received, maintained, or transmitted, and regardless of its source or location.


What are the Elements of a Security Risk Analysis?
A security risk analysis contains six components:

  1. Collecting Data

  2. Identifying and Documenting Potential Threats and Vulnerabilities

  3. Assessing Current Security Measures

  4. Determining the Likelihood of Threat Occurrence

  5. Determining the Potential Impact of Threat Occurrence

  6. Determining the Level of Risk


Need to show proof of your Security Risk Analysis?

Once you have finalized your audits please contact [email protected] for proof of your security risk assessment.


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article