Frequently Asked Questions

Yes — a risk analysis is mandatory under 45 CFR § 164.308(a)(1)(ii)(A) of the HIPAA Security Rule for every covered entity and business associate.

It is the foundational requirement of the Security Rule. HHS Office for Civil Rights (OCR) requires an "accurate and thorough" assessment of risks to the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the organization creates, receives, maintains, or transmits. Failure to conduct one is the most-cited finding in OCR enforcement actions.

The full Security Rule — administrative, physical, and technical safeguards — plus the Privacy Rule and Breach Notification Rule controls that depend on cybersecurity.

We map the ePHI inventory, identify threats and vulnerabilities, evaluate likelihood and impact, document existing controls, and quantify residual risk. We also review BA agreements, workforce training, sanction policies, contingency planning, and audit-log practices. Our methodology aligns with NIST 800-66 r2 (the HHS-published implementation guide).

A written report that documents scope, methodology, asset inventory, threats and vulnerabilities, likelihood and impact analysis, existing controls, residual risk, and a prioritized risk-management plan.

The report is structured so it can be produced directly to OCR if requested. We also include a board-ready executive summary and, where engaged under counsel, a privileged version with our legal analysis of HIPAA exposure.

At least annually, and whenever there is a material change to the environment, operations, or threat landscape.

OCR has been clear that a one-time risk analysis is not compliant. New EHR deployments, mergers, telehealth expansions, ransomware-trend shifts, and changes in vendor relationships all trigger an updated analysis under § 164.308(a)(8) (evaluation).

Yes. Since the Omnibus Rule (2013), business associates are directly liable under the Security Rule and must conduct their own risk analyses.

This applies to cloud providers, MSPs, billing companies, transcription vendors, analytics firms, and any subcontractor handling ePHI. A covered entity's risk analysis is not sufficient — every BA needs one of its own. Our vendor due diligence service helps covered entities verify BA compliance.

OCR's first request after a reportable breach is the current risk analysis and risk-management plan — and OCR penalties are routinely escalated when those documents are missing or stale.

A current, defensible risk analysis is the single highest-leverage document in an OCR investigation. It also supports the four-factor breach-risk assessment under § 164.402, helping determine whether an incident must be reported to OCR, affected individuals, and (for breaches of 500+) the media. See our incident response services.