HIPAA Risk Analysis: The Complete Guide for Small Healthcare Practices

1. What is a HIPAA Risk Analysis?

A HIPAA Risk Analysis is a written, documented, current assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information (ePHI) a covered entity or business associate creates, receives, maintains, or transmits.

The legal authority is 45 CFR 164.308(a)(1)(ii)(A), an Administrative Safeguard under the HIPAA Security Rule. The Security Rule has required this document since the rule took effect in 2005. The phrase that matters in enforcement is accurate and thorough: the analysis has to reflect your actual practice, not a generic template, and it has to cover every system, device, workflow, and vendor that touches patient data.

The companion requirement is at 45 CFR 164.308(a)(1)(ii)(B), the Risk Management standard, which requires the practice to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. These two provisions sit next to each other in the regulation for a reason: the analysis identifies the risks; the management plan documents what you are doing about them. OCR investigates both.

A Risk Analysis is not a one-time deliverable in spirit, even though the statute does not name an interval. OCR has consistently cited outdated analyses in enforcement, and the proposed Security Rule update that HHS has been working toward would codify an annual requirement. In practice, every significant change to the practice (new EHR, new vendor, new location, new staff workflow) should trigger a refresh.

2. Risk Analysis vs Risk Assessment vs Compliance Audit

The terminology in this space is loose, and the looseness costs practices money. Software vendors, IT firms, and even some consultants use these terms interchangeably. OCR does not. When an investigator asks for your Risk Analysis, only one of these documents satisfies the request.

The cleanest way to think about it: the Risk Analysis is the document. Everything else on this list is either an input that feeds the document or a different deliverable serving a different purpose. When a vendor tells you their software produces a "HIPAA Risk Assessment," ask whether the output satisfies the nine elements of the HHS Final Guidance and the five criteria of the HHS Audit Protocol. If they cannot answer that question with specifics, the output is not the document OCR is asking for.

3. Who is required to conduct one

The short answer: every HIPAA covered entity and every business associate. The longer answer matters because misunderstandings here cause practices to skip the requirement entirely.

Covered entities

Under 45 CFR 160.103, a covered entity is one of three categories: a health plan, a healthcare clearinghouse, or a healthcare provider that transmits health information electronically in connection with a HIPAA transaction. Almost every healthcare provider in the United States meets the third definition because they bill insurance electronically. Dentists, therapists, physicians, dermatologists, ophthalmologists, mental health practitioners, physical therapists, chiropractors, med spas, ambulatory surgery centers, telehealth providers. All of them.

Business associates

A business associate is a person or entity that performs a function on behalf of a covered entity that involves the use or disclosure of PHI. IT support firms, billing companies, EHR vendors, document destruction services, transcription services, cloud storage providers, and certain marketing tools all qualify. Under HIPAA, business associates have their own independent obligation to conduct a Risk Analysis. The Omnibus Rule made this explicit in 2013. As covered in why an IT provider BAA does not equal HIPAA compliance, signing a BAA does not transfer your obligation to the vendor. Both parties have their own Risk Analysis requirement.

Practice size does not matter

This is the misunderstanding that produces the most exposure. HIPAA has no employee count threshold. A solo dental practice in a 1,200 square foot suite has the exact same Risk Analysis requirement as Memorial Hermann. OCR settlements regularly involve practices with under 20 employees. The May 2025 settlement with Vision Upright MRI ($5,000, 21,778 patients affected) is a representative example: a small California imaging provider whose Risk Analysis gap was the central finding. The deep-dive on this for one-person practices is at HIPAA compliance for solo practitioners in Texas.

The "we use software so we are covered" misunderstanding

Practice management software and EHR systems handle a fraction of the roughly 50 implementation specifications HIPAA's Security Rule contains. They do not produce the written Risk Analysis. They do not vet your business associates. They do not document your training. The argument that compliance is delegated to a vendor does not survive an OCR document request. The platform comparison in Medcurity vs Patient Protect vs a real Risk Analysis walks through what software actually produces and where the gap sits.

4. What HHS requires it to contain

HHS publishes two documents that together define the substantive bar for a Risk Analysis: the Final Guidance on Risk Analysis Requirements Under the HIPAA Security Rule (issued 2010) and the HHS Audit Protocol (maintained on the HHS.gov website and used by OCR auditors during compliance reviews).

The nine required elements (HHS Final Guidance, 2010)

The 2010 Final Guidance defines the substantive content the Risk Analysis must include. These are not nine optional sections. They are nine elements OCR expects every analysis to address.

1. Scope of the analysis. Identify all ePHI the organization creates, receives, maintains, or transmits, including every device, system, application, and physical location.
2. Data collection. Document the methodology used to gather information about ePHI flows, systems, and safeguards.
3. Identify and document potential threats. Threats organized by source type: adversarial (criminal, malicious insider), accidental (human error), structural (hardware failure, software bug), and environmental (fire, flood, power outage).
4. Identify and document vulnerabilities. Specific weaknesses in administrative, physical, and technical safeguards that a threat could exploit.
5. Assessment of current security measures. What controls are already in place. This is the criterion software questionnaires most often miss.
6. Determine the likelihood of threat occurrence. For each identified threat-vulnerability pair, document how likely the exploitation is.
7. Determine the potential impact of threat occurrence. The harm that would result if the threat were realized. Most practices use a low/medium/high scale.
8. Determine the level of risk. The combination of likelihood and impact. Usually expressed using the NIST SP 800-30 risk matrix.
9. Finalize documentation. Written record dated, signed, and retained for at least six years per 45 CFR 164.316(b)(2)(i).

HHS Final Guidance also identifies an ongoing requirement that sits alongside the nine elements above: periodic review and updates to the Risk Analysis. The analysis is not a one-time document. Whenever the practice changes in a way that affects ePHI (new systems, new vendors, new staff, new physical locations, workflow changes), the analysis must be revisited. The proposed Security Rule update would codify an annual minimum.

The five evaluation criteria (HHS Audit Protocol)

The HHS Audit Protocol gives OCR auditors a structured way to evaluate whether a submitted Risk Analysis meets the standard. The five evaluation criteria are:

1. Defined scope. The analysis identifies all systems creating, transmitting, or maintaining ePHI.
2. Threats and vulnerabilities identified. Specific to the practice environment.
3. Assessment of current security measures. Each control documented with status and evidence.
4. Impact and likelihood analysis. Per threat-vulnerability pair, with documented rationale.
5. Risk rating. Derived from impact and likelihood; tied to the Risk Management Plan.

These criteria map directly onto the nine elements but in a format that supports auditor scoring. When OCR opens a compliance review, the auditor walks through the submitted document against this checklist. A Risk Analysis that touches scope at a high level but does not document current security measures or likelihood and impact at the depth the Audit Protocol describes will receive a finding.

The methodology framework: NIST SP 800-30

HHS Final Guidance explicitly references NIST Special Publication 800-30 (Guide for Conducting Risk Assessments) as the methodology to follow. NIST 800-30 is the federal standard for risk assessment methodology and is what credentialed advisors use to structure the analysis. The threat taxonomy (adversarial, accidental, structural, environmental), the likelihood and impact scales, and the risk matrix all come from NIST 800-30. Software platforms that produce generic checklists rarely follow this structure.

5. What OCR actually looks at

When OCR opens an investigation under its Risk Analysis Initiative (launched October 2024 and expanded in April 2026), the Risk Analysis is the first document the investigator requests. The dynamics of that request are covered in detail in the HIPAA Risk Analysis OCR actually wants to see. The short version is below.

What makes a Risk Analysis defensible

• Site-specific scope. The document identifies your actual EHR, practice management software, billing system, scheduling tool, email platform, cloud storage, mobile devices, and every vendor with access to ePHI. By name. Not generic categories.
• Documented current security measures. Each control (access management, audit controls, integrity controls, transmission security, encryption) is listed with current status and supporting evidence. "Encryption enabled" is not enough. The analysis cites the configuration, the key management procedure, and the platforms covered.
• Threat-vulnerability pairing. Identified threats are mapped to specific vulnerabilities. "Ransomware" is a threat. "Unpatched workstation running an outdated OS" is the vulnerability. The pairing produces the risk.
• Likelihood and impact with rationale. Not a single-letter rating. A short narrative explains why this threat is rated low/medium/high in this environment.
• Risk Management Plan linkage. Each High and Moderate risk has a documented action, owner, and deadline. OCR's April 2026 guidance expansion made this explicit.
• Dated, signed, retained. Cover page identifies the preparer (credential and date), the practice, and the version. Retained for at least six years.

What makes a Risk Analysis inadequate

• Generic template populated with vendor names but no analysis of the specific practice environment.
• Scope limited to the EHR. Missing email, scheduling, mobile devices, IT vendor, and the business associate chain.
• "Yes" / "No" / "N/A" checklist with no supporting evidence or rationale.
• No documented threat-vulnerability pairs; no likelihood or impact analysis.
• Outdated. Dated three years ago with no refresh, even though the practice changed EHRs and added two business associates since.
• No companion Risk Management Plan. The analysis identifies findings but shows no follow-through.
• Produced by software that the practice never reviewed or customized.

6. Cost ranges at every tier

The cost of producing a Risk Analysis varies by an order of magnitude depending on the approach. Below is what each tier actually delivers. Numbers reflect 2026 pricing from vendor published rates and NPA's own engagement experience.

What you actually get at each tier

DIY: The HHS Security Risk Assessment (SRA) Tool is free and can produce a reasonable starting point if a clinician owner has the time to learn the methodology. In practice, most small practices that attempt DIY produce a partially completed questionnaire that does not meet the Audit Protocol bar. The economic argument for DIY is real (zero dollars) but the time cost (40 to 80 hours of clinician time at clinician opportunity cost) and the quality risk usually make this the most expensive option in real terms.

Software: Medcurity, Patient Protect, Compliancy Group, and similar platforms produce structured outputs and handle related workflows (training tracking, BAA management, policy templates). They are useful operational tools. Their Risk Analysis outputs typically satisfy criteria 1 and 2 (scope, threats and vulnerabilities) at a surface level and fall short on criteria 3, 4, and 5 (current security measures, likelihood/impact, risk rating with rationale). The vendor disclaimers reflect this. The deep comparison sits at Compliancy Group vs a human HIPAA consultant and Medcurity vs Patient Protect vs a real Risk Analysis.

NPA flat fee ($3,500 to $4,500): Three-week turnaround, CIPP/US certified principal advisor, 25 to 40 page written document built against all 9 Final Guidance elements and all 5 Audit Protocol criteria, with companion Risk Management Plan and 30-60-90 day action plan. Pricing scales with practice size and scope. See the service page for the full deliverable list.

Big-four / law firm ($15K+): Appropriate when the practice has an active OCR investigation, a documented breach of 500+ records, or a complex multi-location operation. The premium pays for legal privilege (in the law firm case), large team coverage, and brand-name credibility in a settlement negotiation. Overkill for routine compliance.

7. Software vs consultant

This is the decision most small practices wrestle with. The honest answer is not "software is bad" or "consultants are necessary for everything." It is "the two tools do different jobs, and the cheaper of them does not do the job OCR is asking about."

Where software fits

• Workforce training tracking. Annual HIPAA training for staff, completion records, content delivery. Software handles this at scale.
• BAA inventory and reminders. Maintaining a list of vendors with PHI access, tracking BAA expiration dates, sending reminders.
• Policy distribution. Pushing updated policies to staff, tracking acknowledgments.
• Operational hygiene. Periodic checks, breach simulation drills, training refreshers.
• Documentation storage. A central repository for compliance artifacts.

These are recurring administrative workflows. Software is the right tool for them. $499 to $1,200 per year is a fair price for what they deliver.

Where software falls short

• Site-specific Risk Analysis. The questionnaire-driven output rarely satisfies Audit Protocol criteria 3 (current security measures) and 4 (likelihood and impact) at the substantive depth OCR applies. The seven gaps every practice should audit covers each in detail.
• BAA negotiation. Software identifies vendors that need BAAs. It does not read the vendor's BAA, flag liability caps, or push back on terms.
• Vendor due diligence beyond the BAA signature. Whether the vendor is actually using HIPAA-eligible services (AWS, Microsoft, Google Cloud each publish in-scope lists; software does not check).
• Four-factor breach risk assessment. When an incident occurs, the determination of whether it constitutes a reportable breach requires documented analysis under 45 CFR 164.402. Software provides a form, not the analysis.
• OCR-defensible documentation. The audit-grade evidence OCR requests includes decision logs, meeting notes, and email threads showing how decisions were made. Software stores artifacts but does not produce the underlying judgment record.

The right answer for most small practices

Use both, in the right order. Engage a credentialed CIPP/US advisor for a one-time written Risk Analysis built against the HHS Audit Protocol ($3,500 to $4,500, three weeks). Adopt the Risk Management Plan. Implement controls for High and Moderate risks first. Then use compliance software for the recurring operational hygiene work software does well. Refresh the Risk Analysis annually with the same advisor at a reduced rate.

This is the path that produces both a defensible OCR posture and reasonable ongoing operational management at a combined annual cost most small practices can absorb.

What about vendors that say no consultant is ever needed?

Some platforms market themselves on a "no consultant needed" claim. This sounds appealing and is worth examining carefully. The reasoning typically rests on the assumption that platform output equals OCR-defensible documentation. OCR enforcement actions since the Risk Analysis Initiative launched in October 2024 do not support that assumption. The full breakdown sits at when a vendor says no consultants are needed. The same skeptical reading applies to HIPAA compliance seals and badges, as covered in why a HIPAA compliance seal will not save you in an OCR investigation.

8. Healthcare-specialty variations

The HIPAA Risk Analysis requirement applies the same way across all specialties. What changes is the threat landscape, the systems in scope, and the patient-population dynamics that surface as risks. Below is what differs for the specialties NPA serves most frequently.

Small dental practices

Dental practices typically run an EHR (Dentrix, Eaglesoft, Open Dental), a digital imaging system, an external billing or insurance clearinghouse, and shared workstations across multiple operatories. Common risk surface: shared workstation logins, imaging software that backs up to a local server, and an IT vendor with persistent remote access. The ADA endorsement of certain compliance platforms creates a separate dynamic worth understanding (covered in the Compliancy Group ADA endorsement review). The dental-specific deep dive sits at HIPAA Risk Analysis for small dental practices in Houston.

Mental health practices

Mental health practitioners face a distinctive risk surface around web tracking. Many therapy and counseling sites use Google Analytics, Meta Pixel, and similar tracking tools. The 2022 OCR guidance and the more aggressive 2024 update made clear that tracking technology on pages that authenticate patients, or pages indicating health conditions, can trigger an impermissible disclosure of PHI. The specific dynamics for behavioral health are covered in Texas mental health practices and the HIPAA tracking code gap.

Dermatology and aesthetic medicine

Dermatology practices share the tracking-pixel risk in an amplified form. Before-and-after photographs, treatment-page navigation, and cosmetic-procedure inquiries all create higher-risk web analytics events. The dermatology-specific analysis is at Houston dermatology and the HIPAA tracking pixel risk.

Pediatric and family practice

Pediatric and family practices have a unique compliance surface around parental access to records. The HIPAA Privacy Rule, state laws, and the COPPA-adjacent considerations for adolescent patients create a layered access framework most general guidance does not address. The deep dive is at HIPAA parental access to children's medical records.

Telehealth, med spas, and concierge medicine

Telehealth providers face additional risk around video platforms and the BAA chain (whether the video vendor is a covered service, whether the patient connection is encrypted end-to-end, where session recordings live if they exist). Med spas blend cosmetic and medical record dynamics that are not always cleanly delineated. Concierge medicine practices often have unusual technology stacks (custom apps, direct-to-patient messaging) that conventional Risk Analysis templates miss. All three are addressable; the analysis just needs to be scoped to the actual environment, not a template.

For the full set of specialty-specific HIPAA pages, see HIPAA compliance for healthcare practices.

9. Common mistakes that fail OCR review

Across published OCR settlements in 2024, 2025, and the first four months of 2026, six mistakes account for the majority of substantial findings against small healthcare practices. Each one is preventable.

Mistake 1: Scope limited to the EHR

The analysis covers Dentrix or Epic and stops there. Misses email, scheduling, billing clearinghouse, cloud storage, mobile devices, IT vendor, and the rest of the BAA chain. OCR scope is "all ePHI the organization creates, receives, maintains, or transmits." Not "ePHI in the primary clinical system."

Fix: Build a complete ePHI inventory before drafting the analysis. List every system that touches PHI by name. Map data flows between them.

Mistake 2: Generic threats with no environment-specific rationale

"Ransomware is a threat." Yes. So is fire. The analysis is supposed to evaluate likelihood and impact for your environment, not list every threat from the NIST catalog.

Fix: For each identified threat, write a sentence on why this threat is relevant to your specific environment and what makes it more or less likely than average.

Mistake 3: Yes/No checklist with no evidence

"Encryption: Yes. Access controls: Yes. Audit logs: Yes." Without supporting evidence, this is an assertion, not an assessment of current security measures. Audit Protocol criterion 3 explicitly requires evaluation of what is in place, not a checkbox claim.

Fix: For each control, document the platform, the configuration, the responsible owner, and an evidence reference (screenshot, policy reference, vendor configuration page).

Mistake 4: No Risk Management Plan

The analysis identifies 12 risks. None of them has an action, owner, or deadline. OCR's April 2026 guidance expansion made this an explicit deficiency category. Identifying risks without addressing them is no longer sufficient.

Fix: Every High and Moderate risk gets a documented action, owner, and deadline. The Risk Management Plan is a companion document to the Risk Analysis. It is required by 45 CFR 164.308(a)(1)(ii)(B).

Mistake 5: Outdated

The analysis is dated 2022. Since then the practice changed EHRs, added telehealth, hired two new staff, and started using a new billing service. The 2022 document no longer reflects the current environment. OCR treats this the same as not having one.

Fix: Annual refresh. Trigger an interim refresh for any material change.

Mistake 6: Reliance on a vendor seal instead of the document

A practice displays a "HIPAA Certified" badge from a software vendor and assumes the badge is the compliance evidence. It is not. HHS and OCR do not issue or endorse any private HIPAA seal. The seal is a marketing artifact. The full analysis sits in why a HIPAA compliance seal will not save you in an OCR investigation.

Fix: Produce the written Risk Analysis document. The seal does not substitute for it.

10. What happens if you do not have one

The enforcement landscape in 2026 is more active than in any prior year. The numbers below are drawn from published HHS Resolution Agreements and Federal Register penalty notices.

2026 civil monetary penalty tiers

Per Federal Register Notice 2026-01688, the inflation-adjusted HIPAA civil monetary penalty tiers for 2026 are:

These are the statutory tiers. Most OCR enforcement against small practices resolves through Resolution Agreement (a settlement) rather than civil monetary penalty. Settlement amounts in 2024 and 2025 against small practices ranged from $5,000 (Vision Upright MRI, May 2025) to $350,000 (Northeast Radiology, April 2025), with most cited Risk Analysis failures as a primary deficiency. OCR is willing to pursue even financially distressed business associates — the March 2026 MMG Fusion settlement was only $10,000 against a breach affecting 15 million individuals, with the low figure reflecting MMG's poor financial condition rather than the breach's severity. The HIPAA penalty calculator walks through how these tiers get applied to a specific scenario.

Corrective Action Plans

Beyond the monetary settlement, most Resolution Agreements include a Corrective Action Plan (CAP) running two to three years. CAP terms typically require the entity to conduct a comprehensive Risk Analysis, develop a Risk Management Plan, submit annual compliance reports to OCR, update policies, and conduct workforce training. The CAP cost (outside counsel coordination, advisor time, monitoring) often exceeds the headline settlement amount.

The 2026 enforcement picture

OCR collected over $1.28 million across six HIPAA settlements in the first four months of 2026. Risk Analysis failures were cited in the majority. The Risk Analysis Initiative launched in October 2024 expanded in April 2026 to include explicit evaluation of risk management follow-through. Settlements have hit covered entities and business associates of every size. Single-practice covered entities have settled in this period.

The math of investment vs penalty

A $3,500 written Risk Analysis prevents Tier 1 ("did not know") classification on the most-cited deficiency in OCR enforcement. A $30,000 settlement is twelve times what the analysis would have cost. A $170,000 settlement is forty-eight times. A $350,000 settlement is one hundred times. The expected-value math has favored doing the analysis for years; the 2026 enforcement intensity makes it more lopsided than ever.

11. What to do if you received an OCR letter

If a letter from the Office for Civil Rights is sitting on your desk right now, the next 72 hours determine most of the outcome. The full step-by-step protocol is at first 72 hours after an OCR investigation letter. The short version:

1. Hour 1: Photograph or scan the letter. Note the response deadline (typically 14 to 30 days). Identify the specific issue cited.
2. Day 1 to 2: Place a litigation hold on all related records. Do not modify any policy, training log, BAA, or Risk Analysis document. Do not delete anything.
3. Day 2: Decide whether you need outside counsel. If the letter references 45 CFR 160 Subpart C enforcement procedures, civil monetary penalties, a breach over 500 records, or a willful-neglect allegation, retain healthcare regulatory counsel before responding.
4. Day 3: Build your response timeline. List each document OCR requested, where it lives, and who is producing it. Document compliance actions of the past 24 months. Document corrective action taken since receiving the letter.

Most complaint inquiries close after the initial response. Some lead to a Voluntary Corrective Action plan with no monetary penalty. Cases involving willful neglect, repeated violations, or substantial patient harm can lead to a Resolution Agreement with monetary settlement and a multi-year CAP. The path between those outcomes is the quality of your documentation, the speed and honesty of your response, and the corrective action you take while the investigation is open.

12. How NPA does it

North Privacy Advisors delivers a written HIPAA Risk Analysis built against all five HHS Audit Protocol criteria and all nine HHS Final Guidance elements. Three-week turnaround. Flat fee between $3,500 and $4,500 depending on practice size. CIPP/US certified principal advisor on every engagement.

The three-week process

• Week 1: Intake and scoping. Kickoff call. ePHI inventory: every system, vendor, device, and workflow that touches patient data. BAA inventory review. Initial document gathering. Asset and threat catalog drafted.
• Week 2: Analysis. Interviews with practice owner and key staff. Current security measures evaluation against every applicable implementation specification under 164.308, 164.310, and 164.312. Threat-vulnerability pairing. Likelihood and impact analysis using NIST SP 800-30 methodology. Risk ratings developed.
• Week 3: Documentation and delivery. Written 25 to 40 page Risk Analysis drafted. Companion Risk Management Plan developed with 30-60-90 day action items. Draft review with the practice. Final delivery including signed and dated documentation, executive summary, and recommendations.

What you get

• Written HIPAA Risk Analysis (25 to 40 pages) built against all 9 Final Guidance elements and all 5 Audit Protocol criteria
• Companion Risk Management Plan with 30-60-90 day action items
• Complete ePHI and vendor inventory
• Threat-vulnerability mapping per NIST SP 800-30
• Risk ratings with documented rationale
• Executive summary for board or owner review
• Signed and dated cover page identifying the CIPP/US preparer (the document OCR expects to see)
• 60-minute readout call to walk through findings and answer questions

Pricing

• $3,500 flat fee for a single-location small practice (typically 1 to 20 employees, single-EHR environment)
• $4,500 flat fee for multi-location, multi-EHR, or annual refresh subscription
• No retainer. No hourly meter. Pricing locked at engagement letter.

Who NPA is the right fit for

NPA works with small healthcare practices: solo and small group dental, medical, mental health, dermatology, ophthalmology, physical therapy, pediatric, telehealth, med spa, and concierge medicine. Practices with 1 to 100 employees. Practices that want a credentialed deliverable without retainer commitments or law-firm rates. Practices nationwide; Houston-based with a Houston HIPAA consultant page for local clients.

Not ready for the full Risk Analysis?

The $750 Privacy Exposure Review identifies your top three privacy and HIPAA risks in 48 hours. Flat fee. No retainer. One-page memo with prioritized next steps. The fastest way to know exactly where you stand before committing to the full engagement.

Related reading from the NPA HIPAA library

• The HIPAA Risk Analysis OCR actually wants to see
• First 72 hours after an OCR investigation letter
• Why a HIPAA compliance seal will not save you in an OCR investigation
• Medcurity vs Patient Protect vs a real HIPAA Risk Analysis
• What your HIPAA software cannot do: 7 gaps every practice should audit
• Compliancy Group vs a human HIPAA consultant
• Compliancy Group review and the ADA endorsement
• When a vendor says no consultants are needed
• HIPAA compliance for solo practitioners in Texas
• Why an IT provider BAA does not equal HIPAA compliance
• What the Secure Data Act means for small healthcare practices

13. Frequently asked questions