HIPAA Security Rule risk analysis: what is required

March 31, 2026

The risk analysis is the foundation of HIPAA Security Rule compliance — and the single most common finding when something goes wrong.

It is explicitly required

The HIPAA Security Rule (45 CFR 164.308(a)(1)(ii)(A)) requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). It is not optional, and it is not a one-time event.

What a defensible risk analysis contains

• A complete inventory of where ePHI is created, received, maintained, or transmitted.
• The threats and vulnerabilities to that ePHI.
• An assessment of current security measures.
• A likelihood and impact rating for each risk.
• A documented risk level and the remediation decisions that follow.

Why it is the most-cited deficiency

In enforcement actions, regulators repeatedly find that organizations either never did a risk analysis, did one that was too narrow (covering one system instead of all ePHI), or did one once and never updated it. A risk analysis scoped to a single application while ePHI flows through email, backups, and vendors is not "accurate and thorough."

Make it ongoing

Tie each risk to the safeguards (administrative, physical, technical) that treat it, and revisit the analysis whenever systems, vendors, or threats change. A risk register linked to your control set turns the risk analysis from a document you produce under pressure into a living view you can show on demand.