What is an SRA in healthcare?
A Security Risk Assessment (SRA) in healthcare is a mandatory HIPAA evaluation of risks to electronic Protected Health Information (ePHI). It identifies where ePHI is stored and transmitted, assesses threats and vulnerabilities, evaluates existing safeguards, assigns risk levels, and produces a prioritized remediation plan. The HIPAA Security Rule requires covered entities and business associates to conduct an SRA and document the results.
Healthcare IT leaders and compliance officers frequently encounter two distinct types of assessments that are easy to conflate: the Security Risk Assessment (SRA) required by HIPAA, and the broader set of risk assessments that cover physical security, operational resilience, and business continuity. They serve different purposes, satisfy different requirements, and address different categories of risk. Conflating them is one of the most common compliance gaps OCR finds during investigations.
This guide breaks down what each assessment covers, how they differ, and why healthcare organizations need both to maintain a defensible compliance posture. It also covers what OCR is currently enforcing and what the consequences are for organizations that treat the SRA as optional.
What Is a Healthcare Security Risk Assessment (SRA)?
The HIPAA Requirement
A Security Risk Assessment in the HIPAA context is a mandatory evaluation of risks to electronic Protected Health Information. The HIPAA Security Rule explicitly requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI in their possession. This is not a best practice recommendation. It is a required implementation specification under 45 CFR 164.308(a)(1)(ii)(A).
OCR has made the SRA requirement a primary enforcement focus. Between 2024 and 2025, OCR’s risk analysis enforcement initiative resulted in settlement fines totaling nearly $900,000 across eight healthcare organizations that had failed to conduct compliant risk analyses. OCR’s Director stated that failing to conduct a thorough SRA leaves healthcare entities vulnerable to cyberattacks and that knowing where ePHI is and how it is protected is essential for HIPAA compliance. The enforcement pattern is consistent: organizations that cannot produce a documented, current SRA pay the price, not just organizations that suffer breaches.
What an SRA Actually Covers
During an SRA, your organization or a qualified assessor will work through a structured process:
- ePHI mapping: Identify all systems and locations where ePHI is created, received, maintained, or transmitted — from EHR databases and email accounts to portable devices and cloud storage.
- Threat and vulnerability identification: Document what could go wrong in each area — cyber threats including malware, phishing, and ransomware; human errors and malicious insiders; equipment failures; and natural disasters affecting IT systems.
- Safeguard evaluation: Assess whether existing security measures such as encryption, access controls, backup systems, and policies meet HIPAA’s requirements.
- Risk level determination: Analyze the likelihood and impact of each threat exploiting a vulnerability, typically rated low, medium, or high priority.
- Mitigation planning: Prioritize identified risks and develop a remediation plan with documented implementation steps.
Why the SRA Is Not Optional
The objective of a HIPAA risk assessment is to identify weaknesses before a breach occurs. Organizations that skip or conduct inadequate SRAs are not just non-compliant. They are operating without visibility into where their exposure actually is. The average cost of a healthcare data breach in 2024 was approximately $9.8 million. A properly conducted SRA costs a fraction of that and provides a documented record that OCR can review if an incident occurs.
The SRA is also the foundation for your risk management program. Without it, decisions about which security controls to prioritize are made without the evidence base OCR requires you to have. For a practical framework on what OCR auditors expect to find documented and in what format, see the 2025 HIPAA Compliance Checklist for Healthcare Providers.
The distinction between the two assessment types is clearest side by side.
Beyond HIPAA: Physical, Operational, and Business Continuity Risk Assessments
Physical Security Risk Assessment
A physical security risk assessment evaluates the tangible safeguards protecting your facilities and equipment. It covers building access controls, alarm systems, camera surveillance, device storage and disposal procedures, and equipment placement. Physical risks are directly connected to cyber risks: an attacker stealing an unencrypted laptop and a natural disaster knocking out a data center both create ePHI exposure that feeds back into your HIPAA compliance posture.
The American Hospital Association has noted that today’s environment demands preparation for all forms of risk, including both cyberthreats and physical threats, because both can threaten a hospital’s ability to operate. A physical security assessment ensures that access to ePHI systems and critical infrastructure is controlled and resilient, which also satisfies HIPAA’s Physical Safeguards requirements under 45 CFR 164.310.
Operational Risk Assessment
An operational risk assessment takes a broader organizational view. Healthcare operations involve not just IT systems but also clinical workflows, supply chains, staffing, and finances. The question it asks is what could disrupt day-to-day operations or the ability to deliver care. Examples include a critical IT system outage beyond ePHI systems, vendor failures affecting essential supplies, staff shortages, or process failures that create errors in care delivery.
These risks are not explicitly covered by HIPAA, but they are directly relevant to patient safety and organizational stability. A security incident is not the only event that can put patient data or lives at risk. A power failure or communication breakdown can be just as damaging if no contingency plan exists. Operational risk assessments identify those vulnerabilities before they become events.
Business Continuity and Disaster Recovery Assessment
A business continuity risk assessment identifies potential events that could cause major disruption and evaluates how prepared your organization is to withstand and recover from them. In healthcare, downtime is more than an inconvenience. It can affect patient care delivery directly if critical systems go offline.
The scenarios this assessment covers range from natural disasters to prolonged power outages, ransomware attacks, and public health emergencies. A well-designed continuity plan addresses facility infrastructure, critical clinical and business operations, regional risks, and recovery procedures including who steps in when, how the organization communicates during the crisis, and how quickly normal operations resume.
Healthcare organizations must balance keeping patients and visitors safe while protecting equipment, facilities, and confidential data simultaneously. Focusing only on the cyber side addressed by an SRA can leave significant gaps. A broader risk program covers those scenarios and ensures no category of risk is unexamined. For the governance framework that connects these risk types at the organizational level, see Why Your Healthcare IT Provider Needs to Think Like a Risk Manager.
Why Healthcare Organizations Need Both Types of Assessment
Holistic Protection
Cybersecurity risks addressed by the SRA and other enterprise risks are interconnected. A weakness in one area can cascade into another. An inadequate backup power supply, a physical and operational issue, can turn a minor IT glitch into a major ePHI availability failure and a direct HIPAA violation. Conversely, a phishing attack can shut down systems and force an organization into emergency operations that are covered by the continuity plan, not the SRA.
SRA findings feed into overall risk management planning, and vice versa. If an SRA uncovers inadequate backup systems for ePHI, that finding belongs in the continuity plan. If a business continuity assessment identifies a critical dependency with no redundancy, that feeds back into the SRA’s remediation priorities. Neither assessment is complete without the other.
Compliance Beyond the Minimum
An annual SRA satisfies the HIPAA compliance requirement. But regulators, insurers, and accrediting bodies are increasingly expecting more comprehensive risk programs, not just HIPAA documentation. Insurers use risk assessment scope and frequency as underwriting factors for cyber liability policies. OCR’s heightened enforcement makes clear that paper compliance is not sufficient. Real risk reduction, documented across all risk categories, is what both regulators and the organization’s own resilience require.
For the MSSP and security partner obligations that connect to your SRA and broader risk program under HIPAA’s business associate requirements, see MSSP for Healthcare: What HIPAA Requires from Your Security Partner.
Patient Safety and Organizational Trust
Both types of assessments ultimately serve patient safety. An SRA helps prevent breaches that expose sensitive health information, protecting patient privacy and the organization’s regulatory standing. Broader risk assessments ensure the organization can continue to care for patients under any circumstances, from keeping clinical systems operational during a disaster to preventing unauthorized physical access to ePHI systems.
When patients and regulators see a comprehensive approach to risk management, it builds confidence that the organization can protect both data and people. In healthcare, where operational failures and data breaches both carry patient safety consequences, that confidence is not incidental. It is earned through documented, consistent risk management practice.
Resilience as a Measurable Outcome
Proactively assessing risks produces a measurable outcome: an organization that knows where its exposure is and has documented plans to address it. Healthcare leaders who invest in both SRA and broader risk assessments have actionable remediation plans, documented evidence for auditors, and a clearer picture of which risks carry the most consequence if left unaddressed. That preparedness is demonstrable to OCR, to insurers, and to the board.
How to Choose the Right SRA Partner for Your Organization
Knowing what an SRA requires and knowing how to conduct one are two different problems. For most healthcare organizations, especially those without a dedicated compliance officer or internal security team, the SRA involves decisions about methodology, assessor qualifications, deliverable format, and how findings feed into an ongoing risk management program.
The quality of an SRA is only as good as the methodology behind it and the experience of the assessor interpreting the findings. An assessor who does not understand clinical workflows, EHR architecture, or the specific threat patterns targeting healthcare organizations will produce a risk analysis that looks complete on paper but misses the vulnerabilities that matter. For a detailed framework on how to evaluate and select an SRA partner for a healthcare environment, see How Healthcare Providers Can Choose the Right SRA Partner.
Conclusion: SRA and Risk Assessment Are Not the Same Thing
A HIPAA Security Risk Assessment is non-negotiable. It is the legally required, documented foundation of your ePHI protection program, and OCR enforcement data confirms that organizations without a current, compliant SRA on file face disproportionate regulatory scrutiny. Broader risk assessments covering physical security, operational risk, and business continuity are equally important for a different reason: they protect everything the SRA does not cover, and they provide the organizational resilience that keeps patient care running when incidents occur.
Both types of assessments are required for a defensible compliance posture, and both are required for a genuinely resilient healthcare organization. The practical question for most organizations is not whether to conduct them but how to structure them, who should conduct them, and how findings from one feed into planning for the other.
In healthcare, every risk you document and address is a gap you have closed before an attacker or an auditor found it first. How the SRA fits within a complete managed IT services program for healthcare is the starting point in the complete guide to managed IT services for healthcare.
