Security Risk Analysis
A Security Risk Analysis is an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic patient health information (ePHI). The HIPAA Security Rule requires all covered entities to conduct a Security Risk Analysis and states the Risk Analysis should be an ongoing process. Once you have completed the Risk Analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels. (45 CFR 164.308(a)(1)(ii)).

HIPAA Security Rule

The HIPAA Security Rule establishes national standards to protect individuals’ health information that is created, received, used, or maintained in electronic form by a covered entity (also known as ePHI). The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.

Contact the Kentucky REC today for more information on how we can help with your security risk analysis.

Covered Entity

A covered entity is one of the following:

A Health Care ProviderA Health PlanA Health Care Clearinghouse
This includes providers such as:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies
...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
This includes:

  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs

This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

Covered Entity Guidance Tool

Protecting patients’ ePHI is as important as protecting their paper PHI. An SRA helps to identify vulnerabilities and threats surrounding your EHR and other IT systems containing and transmitting ePHI. Once identified, you will need to mitigate the vulnerabilities to reasonable level.

Please note all providers who are covered entities under HIPAA are required to perform a Security Risk Analysis.

Use the following tool to help determine if you are a Covered Entity

Why Do I Need a Security Risk Analysis (SRA)?

The Administrative Safeguards provisions in the HIPAA Security Rule require covered entities to perform risk analysis as part of their security management processes. Specifically, the Security Rule states that covered entities are required to:

“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” §164.308(a)(1)(ii)(A):

• A risk analysis process includes, but is not limited to, the following activities:

• Evaluate the likelihood and impact of potential risks to e-PHI

• Implement appropriate security measures to address the risks identified in the risk analysis

• Document the chosen security measures and, where required, the rationale for adopting those measures

• Maintain continuous, reasonable, and appropriate security protections

Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.

Summary of the HIPAA Security Rule
Quality Payment Programs/MIPS Guidance


HIPAA Webinar Available Now – SRA Findings & Security Updates

Most Common SRA Findings From 2023 / HIPAA Security Updates Announced for 2024 With the number of healthcare data breaches continuing to rise, it’s important that healthcare organizations address oversights in their HIPAA security compliance program. Kentucky REC...

Register Today! HIPAA 2024 On Demand Webinar

Most Common SRA Findings From 2023 / HIPAA Security Updates Announced for 2024 Release Date: Monday June 17, 2024 @ 12PM ET   Fill out this brief REGISTRATION FORM to be among the first to receive the webinar recording.   With the number of healthcare data...

Register Today! Oct 24 – Kentucky REC Annual Conference

Join us for an engaging day where we share essential topics shaping modern healthcare. Our agenda includes in depth discussions of quality initiatives, HIPAA, Social Drivers of Health, and more.

Whether you’re a clinician, administrator, or a member of healthcare staff, this event is tailored to equip you with the insights and knowledge needed to navigate the complexities of modern healthcare.

Guest speakers will join us to present on relevant topics.