Yundra
← All articlesRisk & Audit

How to Do a HIPAA Security Risk Analysis for Your Therapy Practice

12 min read

The Security Risk Analysis is the single most important HIPAA compliance task for your practice. It is also, by a wide margin, the single most commonly cited deficiency in OCR enforcement actions. These two facts have been true for over a decade, and they are more true now than ever.

OCR's Risk Analysis Initiative, launched in late 2024, is specifically targeting practices that haven't conducted thorough risk analyses. By early 2026, the initiative has produced 11 enforcement actions. In 2025, every single one of the ten resolution agreements OCR announced cited failure to conduct a thorough Security Risk Analysis as a primary finding. Not some of them. All ten.

Solo practices are not exempt from this. The Manasa Health Center settlement in 2024 was $30,000 — a solo-scale practice. Other small practices have settled for $25,000-$30,000 specifically over missing or outdated risk analyses. These are not massive health systems with legal departments. These are practices that look a lot like yours.

Yet most solo therapists either haven't done a Security Risk Analysis at all, started the government's free SRA tool and gave up around question 40 of 156, or paid a consultant thousands of dollars for what should be a manageable process. None of these outcomes is acceptable, and none is necessary.

This article walks through exactly what a Security Risk Analysis involves for a solo therapy practice, step by step, in plain English. If you want the comprehensive overview of HIPAA compliance for solo practices, start with our complete 2026 guide. This article goes deep on the risk analysis specifically.

What a Security Risk Analysis actually is

A Security Risk Analysis (SRA) is a systematic, written review of three things:

  1. Where does electronic protected health information (ePHI) live in your practice? Every system, device, and tool that touches patient data.
  2. What could go wrong? Every realistic threat — stolen laptop, phishing email, vendor breach, lost phone, misdirected email, natural disaster.
  3. How are you protecting against those threats? What safeguards are in place, and where are the gaps?

The legal basis is 45 CFR §164.308(a)(1)(ii)(A), which requires covered entities to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity."

Two things about this requirement that most therapists miss:

It's not a one-time checklist. The Security Rule requires you to update your risk analysis "periodically" — and OCR has made clear that "periodically" means at least annually, plus any time something significant changes in your practice. A new EHR, a new staff member, a new telehealth platform, a security incident, a new AI tool — any of these should trigger an update. A risk analysis from 2023 is almost as useless as no risk analysis at all.

The terminology is interchangeable. You'll see "Security Risk Analysis" and "Security Risk Assessment" used in different contexts. The regulation itself says "risk analysis." OCR's free tool calls it a "Security Risk Assessment." HHS guidance uses both terms. They mean the same thing. Don't let anyone tell you they're different processes.

Why OCR cares about this more than anything else

If you understand only one thing about HIPAA enforcement, understand this: the risk analysis is the foundation that everything else sits on. Without it, OCR considers every other compliance measure you've taken to be ungrounded — you can't know whether your safeguards are adequate if you haven't systematically identified what you're protecting against.

This is why OCR's Risk Analysis Initiative exists. It's not a bluff, and it's not targeted only at hospitals. The initiative specifically uses targeted audits and enforcement to ensure that covered entities of all sizes — including solo practices — are conducting thorough, documented risk analyses.

The practical consequence for you: if OCR ever investigates your practice (usually triggered by a patient complaint or a breach report, even a small one), the first document they ask for is your written risk analysis. If you can't produce one, you are in immediate, documented non-compliance with the Security Rule's most fundamental requirement. Every other safeguard you've implemented — your encryption, your passwords, your BAAs — is undermined, because you can't demonstrate that those safeguards were chosen based on an actual assessment of your practice's specific risks.

The proposed 2026 Security Rule updates are raising the bar further. The updates would require quantitative risk ratings (not just "high/medium/low" narratives), mandatory encryption with no addressable exception, universal MFA, annual vulnerability scanning, and formal technology asset inventories. The current rule is more flexible. The window to get a solid risk analysis in place under the current, more manageable requirements is closing.

What the government's free tool looks like (and why most therapists give up)

HHS offers a free Security Risk Assessment Tool. It's a desktop application that walks you through 156 questions covering all the Security Rule's requirements. In theory, this is a generous public resource. In practice, it's nearly unusable for solo therapists.

The tool was designed by and for IT departments. The language assumes you know terms like "workforce clearance procedures," "entity authentication," "information system activity review," and "maintenance records." Each question links to the specific regulatory citation, which is helpful if you're a compliance officer and unhelpful if you're a therapist trying to figure out whether your laptop setup is adequate.

Most solo therapists who try the SRA Tool give up somewhere around question 40. They're not failing — the tool is failing them. It's the right content in the wrong format for the wrong audience.

This is the gap that needs to be filled: a structured risk analysis process that covers the same regulatory requirements, but in language that makes sense to the people who actually need to complete it.

The five areas your risk analysis must cover

HIPAA's Security Rule organises its requirements into categories of safeguards. Here's what each one means for a solo therapy practice, in plain English.

1. Administrative safeguards — your compliance foundation

This is the paperwork and planning side of compliance. For a solo practice, administrative safeguards include:

  • The risk analysis itself — you're reading about it right now
  • Written policies and procedures — documented rules for how your practice handles ePHI (they don't need to be elaborate, but they need to exist in writing)
  • Security Official designation — in a solo practice, that's you, but it should be documented
  • Training — even if you're the only person in your practice, you need to demonstrate that you've reviewed and understand your own policies
  • Incident response plan — what you'll do if something goes wrong (more on this under breach preparedness)
  • Business Associate Agreements — contracts with every vendor who handles your patient data
  • Documentation retention — HIPAA requires you to retain policies and risk analysis documentation for at least six years

Most solo practices have some of these in place informally but not in writing. Informal practices count for nothing with OCR. If it isn't documented, it didn't happen.

2. Physical safeguards — your devices and space

Physical safeguards protect the actual hardware and physical locations where ePHI is accessible. For a solo practice:

  • Device passwords and auto-lock — every device that can access patient data should lock automatically after a few minutes of inactivity
  • Encryption at rest — your laptop's hard drive, your phone's storage, any external drives. This means FileVault on Mac, BitLocker on Windows, and encryption enabled on your phone
  • Secure transport — how you carry devices between your office and your home. A stolen laptop bag is one of the most common breach scenarios for small practices
  • Disposal — when you retire a device, the data on it needs to be securely wiped, not just deleted
  • Facility access — even in a home office, there should be some consideration of who can physically access your devices and patient records

The most commonly missed item here is encryption. Many therapists assume their devices are encrypted because they have a password. A password without full-disk encryption means anyone who removes the hard drive can read everything on it without ever entering the password.

3. Technical safeguards — your systems and access

Technical safeguards are the digital security controls on your systems. For a solo practice:

  • Unique user IDs — every person who accesses your systems should have their own login, not a shared account (relevant if you have an admin or billing person)
  • Multi-factor authentication (MFA) — a second verification step beyond your password, on every system that offers it. This is the single highest-impact security measure you can implement
  • Strong passwords — unique, complex passwords for every system. A password manager makes this practical
  • Audit logging — your EHR should log who accessed what and when. Most healthcare EHRs do this automatically. Check that it's turned on
  • Encryption in transit — data should be encrypted when it moves between systems (TLS/HTTPS). Your EHR and email should both use this. If you're still using a service that doesn't encrypt in transit, that's a critical gap
  • Secure email — if you communicate anything patient-related via email, that email service needs a BAA and proper configuration. Free Gmail is not compliant; paid Google Workspace with a signed BAA can be. See our detailed Gmail breakdown for the specifics

The most commonly missed item here is MFA. It takes five minutes to set up, it's free on almost every service, and it blocks the vast majority of credential-based attacks. If you do nothing else after reading this article, enable MFA on your EHR, your email, and any cloud service that stores patient data.

4. Vendor management — your business associate agreements

Every third-party service that handles ePHI on your behalf needs a signed Business Associate Agreement (BAA). For a typical solo therapy practice, this includes:

  • Your EHR (SimplePractice, TherapyNotes, TheraNest, etc.)
  • Your email provider (if used for any patient communication)
  • Your telehealth platform (if separate from your EHR)
  • Your cloud storage (Google Drive, Dropbox, etc., if used for patient-related files)
  • Any AI tools used with patient data (transcription services, note-generation tools)
  • Your billing or claims clearinghouse (if applicable)

The Change Healthcare breach in early 2024 — which affected over 100 million patient records — put vendor management squarely in OCR's enforcement crosshairs. It demonstrated that a single vendor breach can cascade across thousands of practices. Having signed BAAs doesn't prevent vendor breaches, but it establishes the legal framework for accountability and notification that HIPAA requires.

The most commonly missed item here is the completeness of the inventory. Most therapists have a BAA with their EHR and maybe their telehealth platform. They often forget about email, cloud storage, AI transcription tools, the accounting software that receives billing data, and the phone answering service that takes messages with patient names.

5. Breach preparedness — your incident response plan

Breach preparedness means having a plan in place before something goes wrong. For a solo practice:

  • Written incident response plan — step-by-step procedures for what to do if you discover a breach (who to contact, how to contain it, what to document)
  • Notification deadlines — HIPAA requires you to notify affected individuals within 60 days of discovering a breach. If more than 500 people are affected, you also notify OCR and prominent media outlets simultaneously. Under 500, you report to OCR via annual log
  • Pre-drafted notification templates — having template letters ready means you can respond quickly instead of writing from scratch under stress
  • Tabletop exercise — walking through a hypothetical breach scenario to test your plan. For a solo practice, this can be as simple as sitting down for 30 minutes and asking yourself "what would I actually do if my laptop was stolen right now?" and writing down the answer

Most solo practices have no incident response plan at all. This is understandable — it feels like planning for failure — but it's a required element of HIPAA compliance, and it's one of the items OCR checks during investigations.

Step by step: how to actually do this

Here's the practical walkthrough for completing a Security Risk Analysis as a solo therapist.

Step 1: List everywhere ePHI lives

Write down every system, device, and tool in your practice that touches patient information. Include the obvious ones (your EHR, your computer, your phone) and the ones people forget:

  • Backup drives or external storage
  • Transcription tools or AI note-generation tools
  • Personal devices used for work (even occasionally)
  • The laptop you take home from the office
  • Paper records, if you have any
  • Voicemail systems that store patient messages
  • Text messaging apps used for scheduling

This list becomes your technology asset inventory — a term you'll see in the proposed 2026 rule updates, and a document OCR increasingly expects to see.

Step 2: Identify what could go wrong

For each item on your list, ask: what are the realistic threats? Don't try to imagine every possible disaster movie scenario. Focus on what actually happens to small practices:

  • Stolen or lost device — the most common breach scenario for solo practices
  • Phishing email — someone tricks you into revealing your login credentials
  • Vendor breach — your EHR or another service gets compromised (this is what happened with Change Healthcare)
  • Misdirected communication — email or fax sent to the wrong person
  • Unauthorised access — someone who shouldn't have access gets into your systems (a family member using your laptop, an old employee whose access wasn't revoked)
  • Natural disaster — fire, flood, power outage that destroys your local records

Step 3: Assess likelihood and impact

For each risk, rate how likely it is and how bad it would be if it happened. The current rule allows qualitative ratings (high, medium, low). The proposed 2026 updates would require numerical scores, but under the current rule, a simple matrix works:

  • High likelihood / high impact = critical risk (address immediately)
  • High likelihood / low impact or Low likelihood / high impact = important risk (address soon)
  • Low likelihood / low impact = monitor (address when practical)

Step 4: Document your current safeguards

For each risk, write down what you're currently doing to mitigate it. Be honest — this document is for your benefit, not for show. If you don't have encryption on your laptop, write that down. If you haven't enabled MFA on your EHR, write that down. The gaps you identify here are the ones you'll fix.

Step 5: Identify the gaps

Where is the protection missing or inadequate? This is the core output of the risk analysis — a specific list of items that need to be addressed. Each gap should be tied to a specific risk, a specific system, and a specific safeguard that's missing.

Step 6: Prioritise and make a remediation plan

Not every gap is equally urgent. Critical gaps (high likelihood, high impact) get addressed first. For each gap, write down: what needs to be done, who's responsible (in a solo practice, that's you), and by when.

Step 7: Document everything

The written analysis — your asset inventory, your risk assessment, your gap list, your remediation plan — is itself a compliance document. HIPAA requires you to retain it for at least six years. Keep it somewhere accessible and secure.

Step 8: Set a reminder to update it

At minimum, annually. Also any time something significant changes: new EHR, new tool, new staff member, security incident, significant change to your practice workflow. Put a recurring calendar reminder for your annual review.

What most solo therapists get wrong

In order of how often we see these:

Not doing one at all. The most common and most consequential mistake. If OCR investigates, the absence of a written risk analysis is the first and most serious finding. Everything else is downstream of this.

Doing it once and never updating. A risk analysis from three years ago doesn't reflect your current practice. New tools, new threats (AI tools didn't exist in most practices three years ago), and new regulatory expectations make an old analysis increasingly useless.

Only covering the EHR. Your EHR is one system among many. Email, personal devices, telehealth platforms, cloud storage, AI transcription tools, backup drives — all of these handle ePHI and all of them need to be in your risk analysis.

Not documenting it in writing. "I have good security practices" is not a risk analysis. OCR wants a written document that shows you systematically identified your risks, assessed them, and addressed them. If it isn't written down, it doesn't count.

Confusing encryption with compliance. Encryption is one safeguard among dozens. Having encryption on your laptop is important, but it doesn't mean you're compliant. A risk analysis covers administrative, physical, and technical safeguards, plus vendor management and breach preparedness.

Skipping vendor and BAA review. After the Change Healthcare breach, vendor management is firmly on OCR's radar. Every service that handles patient data needs a signed BAA and a place in your risk analysis. Most therapists have a BAA with their EHR but forget about email, cloud storage, and AI tools.

A faster starting point

We built Yundra's free HIPAA Risk Assessment to be the starting point for your Security Risk Analysis. It's a structured 40-question assessment written in plain English, specifically designed for solo therapists and small mental health practices.

It covers all five safeguard categories — administrative, physical, technical, vendor management, and breach preparedness. When you finish, you get an instant compliance score, a breakdown by category, and a specific list of every gap we identified with plain-English remediation steps for each one. You can download a branded PDF that becomes the foundation of your written risk analysis documentation.

It takes about 25 minutes. It's free. No consultant fees, no jargon — see your score instantly.

Start the free HIPAA Risk Assessment →

If you want more context on what the assessment covers before starting, read our detailed explainer on how the assessment works.

What comes next

Take the free risk assessment to get your formal Security Risk Analysis started. Yundra walks you through 40 plain-English questions, scores your compliance across five categories, and generates all 7 HIPAA documents your practice needs — personalised to your specific setup, vendors, and gaps.

Would your practice survive an OCR audit?

Find out in 25 minutes. Our free assessment identifies every gap an auditor would flag — and shows you how to fix them.

Free · See your score instantly