Yundra
← All articlesRisk & Audit

What Is a HIPAA Risk Assessment? A Plain-English Guide for Solo Practices

9 min read

If you've spent any time looking into HIPAA compliance for your practice, you've almost certainly seen the term "Security Risk Analysis" thrown around. You've probably also noticed that nobody ever explains what it actually is. Articles tell you it's important, that you must do it, that OCR fines people for not having one — but they rarely walk you through what the thing itself looks like.

This guide does that. By the end of it, you'll know exactly what a HIPAA Security Risk Analysis is, what it has to contain, how often you need to do one, what happens if you skip it, and roughly how long it takes a solo practice to complete one properly.

The short version

A HIPAA Security Risk Analysis (sometimes called a Security Risk Assessment, or SRA — the terms are used interchangeably) is a structured, written evaluation of every place your practice's electronic patient information lives, every threat that could compromise it, and every safeguard you have in place to protect it. It's required by the HIPAA Security Rule under 45 CFR §164.308(a)(1)(ii)(A). It's the single most commonly cited deficiency in OCR enforcement actions. Every solo practice has to do one, document it in writing, update it at least annually, and retain the documentation for at least six years.

For a solo therapist, doing it properly takes roughly 10-15 hours of focused work the first time, and significantly less in subsequent years once the documentation framework is in place.

Why this matters more than almost any other compliance task

Here's a fact that should focus your attention. Of the ten HIPAA resolution agreements OCR announced in the first five months of 2025, every single one cited failure to conduct a thorough risk analysis as a primary finding. Not one in ten. Not most of them. All of them.

It is genuinely difficult to overstate how central this requirement has become to OCR's enforcement priorities. If you read any compliance attorney's analysis of recent enforcement trends, the message is consistent: the Security Risk Analysis is the single thing OCR looks for first, and the absence of one is the single most common cause of significant fines.

The penalties scale with the size of the practice, but solo and small practices are not exempt. Manasa Health Center settled with OCR in 2024 for $30,000 — a settlement repeatedly cited by compliance attorneys as proof that practice size offers no immunity. Other small healthcare providers have settled for $25,000-$100,000 for similar deficiencies, often with multi-year corrective action plans attached.

This is the part of compliance where the gap between "doing nothing" and "doing the basics" is enormous. A solo practitioner who has some documented risk analysis, even an imperfect one, is in a fundamentally different position from one who has nothing at all. OCR is far more lenient with practices that show good-faith effort than with practices that have nothing to show at all.

What a Security Risk Analysis actually is, in plain terms

Strip away the regulatory language and the framework jargon, and a Security Risk Analysis is six questions, asked systematically, and answered in writing.

Question 1: Where does my electronic patient information actually live?

This is your asset inventory. It's a written list of every system, device, application, and location where electronic protected health information (ePHI) is created, received, stored, or transmitted in your practice. For a solo therapist, this might include your EHR, your laptop, your phone if you use it for any work-related communication, your tablet if you take notes on one, your email account (and if you're using free Gmail, read this first), your telehealth platform, your billing service, your cloud backup, your transcription tool, and any AI tools you use.

Most solo practices significantly underestimate their scope here. The EHR is obvious. The laptop and phone are easy to forget. The fact that "my old backup drive in the desk drawer" counts is almost always missed.

Question 2: What could go wrong?

This is threat identification. It's a written list of the specific things that could compromise your patient information. The standard categories are unauthorised access (someone gets in who shouldn't), unauthorised disclosure (information leaves your practice when it shouldn't), data loss (information is destroyed or becomes unavailable), and data integrity issues (information is altered without authorisation).

In practice, for a solo practice, the realistic threats are: a stolen or lost laptop or phone, a phishing email that compromises your credentials, ransomware encrypting your files, an EHR vendor having a breach that exposes your data, accidentally emailing the wrong patient, or losing a backup drive.

Question 3: How likely is each of those things to happen?

This is likelihood assessment. Under the current rules you can rate things qualitatively — "high," "medium," "low." Under the proposed 2026 Security Rule update, OCR is pushing practices toward more structured, quantitative scoring aligned with NIST methodologies, but qualitative ratings are still acceptable for now if they're applied consistently.

Question 4: How bad would it be if it did happen?

This is impact assessment. For each threat, you estimate the consequences — to patients, to your practice, to your reputation, to your legal exposure. A stolen laptop with one patient's information is bad. A ransomware attack that encrypts your entire EHR is catastrophic.

Question 5: What am I currently doing about each one?

This is the safeguards inventory. For each threat, you document what controls you currently have in place. Encryption on your devices? MFA on your EHR? Automatic backups? A locked filing cabinet for any paper records? Written policies on who can access what?

This is the step where most solo practitioners discover they're doing more than they realised — and also discover gaps they didn't know existed.

Question 6: What am I going to do about the gaps?

This is the remediation plan. For every risk you've identified that isn't already mitigated to an acceptable level, you write down what you're going to do about it, who's responsible, and by when. For a solo practice, "who's responsible" is usually you.

That's it. That's a Security Risk Analysis. Six questions, answered systematically, in writing, with enough detail that someone reading it would understand your practice's security posture. The complexity comes not from the framework itself but from the breadth — you have to apply those six questions to every system, every device, every workflow.

How long does this actually take?

For a solo practice doing it properly the first time: realistically, 10-15 hours of focused work. Not all in one sitting — most practitioners spread it across two or three weeks, doing a chunk at a time as they encounter each system or workflow.

Subsequent annual reviews are much faster — typically 3-5 hours, because you're updating an existing document rather than building one from scratch.

If you've been quoted multi-thousand-dollar consultant fees to do this, what you're paying for is largely (a) the consultant's time mapping your practice for you and (b) the reassurance of a third-party signature. Neither is required by HIPAA. OCR does not care whether you did the analysis yourself or hired someone to do it. They care that it exists, that it's thorough, and that it's documented.

How often do you need to do it?

The HIPAA Security Rule doesn't specify an exact frequency, but OCR guidance and consistent enforcement patterns make the answer clear in practice:

  • At least once a year, regardless of whether anything has changed
  • After any significant change — new EHR, office move, hiring or losing staff, adopting a new technology (telehealth platform, AI tool, new device)
  • After any security incident, even a minor one
  • After any major regulatory update — the 2026 Security Rule changes are exactly the kind of trigger that should prompt a fresh review

The "annual at minimum" guidance is the floor, not the ceiling. A practice that did its SRA two years ago and hasn't touched it since is in a much worse position than one that updates lightly every year, even if the updates are small.

What you have to keep, and for how long

HIPAA requires you to retain all Security Risk Analysis documentation for at least six years from the date of creation or the date it was last in effect, whichever is later. This isn't optional and it isn't negotiable.

What "documentation" means in practice: the actual written analysis, any spreadsheets or worksheets you used, your asset inventory, your remediation plan, evidence of any remediation actions you completed (screenshots, dated notes, vendor confirmations), and any updates you made over time.

The single most important thing to internalise: OCR's first request in any investigation is for written documentation. If you've done all the right things but can't show them on paper, OCR may treat your practice the same as a practice that did nothing at all. The documentation isn't optional bureaucracy — it is the compliance.

Why most solo practitioners give up partway through

There's a free HHS Security Risk Assessment Tool, available from hhs.gov. It exists because the government recognised that small practices need help with this. It's a 156-question downloadable application. It is technically free, technically useful, and technically the path the government endorses.

It is also, by most solo practitioners' accounts, brutal to use. The tool itself states in its user guide that it is "not a guarantee of HIPAA compliance." Most practitioners try it once, get bogged down somewhere around question 40, and never return.

The deeper problem is that the tool was clearly built by lawyers and IT professionals for an audience that already understood the underlying concepts. It assumes you know what an "addressable specification" is, why "encryption at rest" matters, what a "minimum necessary standard" looks like in practice. For a therapist whose graduate training was in clinical work rather than information security, the experience is closer to filling out a tax return in a foreign language.

This is the gap that drives most solo practices either toward expensive consultants (the path of least cognitive resistance, but it costs thousands) or toward giving up entirely (the path of least immediate cost, but it leaves them sitting on top of a major compliance gap they can't see).

What 2026 specifically changes

Two things are worth knowing about how the regulatory landscape is shifting:

First, HHS is moving toward more structured, quantitative risk scoring. Under the current rules, you can rate risks as "high/medium/low" based on professional judgment. Under the proposed 2026 Security Rule update, OCR is pushing toward numerical scoring aligned with NIST SP 800-30 methodology. This isn't fully in effect yet, but the direction is clear — risk analyses are expected to become more rigorous and more standardised.

Second, the distinction between "addressable" and "required" safeguards is being eliminated. Under the current rules, some safeguards (like encryption at rest) were "addressable" — you had to implement them or document why you weren't. Under the proposed 2026 changes, addressable becomes required for almost everything. This means your risk analysis can no longer conclude "we considered encryption and decided it wasn't necessary" — encryption is just expected, full stop.

The practical implication: if you're starting your first risk analysis now, build it to the higher 2026 standard rather than the older standard. It's the same amount of work either way, and it future-proofs your documentation.

Where Yundra fits in

Yundra is being built specifically to close the gap between "the free HHS tool that nobody can finish" and "the $5,000 consultant nobody can afford." It walks you through the same six questions in plain English, automatically maps your answers to the regulatory requirements, generates the documentation OCR expects to see, and gives you a 15-minute monthly check-in to keep everything current. It's designed for solo therapists by people who think compliance software should be honest, simple, and fairly priced.

We never see your patient data — Yundra manages your compliance program, not your records.

If reading this article made you realise your practice doesn't have a current, documented Security Risk Analysis, you're not alone — the majority of solo practices don't. Take the free assessment to start yours today — 25 minutes, plain English, instant compliance score.

For a broader overview of HIPAA compliance for solo therapists, see our complete 2026 guide.

Would your practice survive an OCR audit?

Find out in 25 minutes. Our free assessment identifies every gap an auditor would flag — and shows you how to fix them.

Free · See your score instantly