Conducting a security risk analysis is a required measure for all HIPAA covered entities. Eligible professionals must conduct or review a security risk analysis for each reporting period to ensure the privacy and security of their patients’ protected health information. 


The latest HIPAA Audit Program results found that 83% of covered entities failed to perform an adequate SRA. Additionally, 94% failed to establish or maintain an information security risk management plan. Failure to perform a risk assessment or conducting an insufficient risk assessment is the leading cause of failing a HIPAA audit. 

HIPAA security risk assessment requirements can be intimidating for any organization, and there are many myths surrounding the process and requirements. So let’s break down the top five SRA (Security Risk Analysis) myths, and provide facts and tips that can help you structure your risk analysis process.

MYTH: The security risk analysis is optional for small providers.
FACT:   All HIPAA “covered entities” are required to perform a risk analysis, regardless of practice size. Additionally, if you report for Meaningful Use or you plan to attest for MACRA you run the risk of incurring additional penalties/consequences if you are audited and have failed to perform a risk analysis.

MYTH: My EHR vendor took care of my SRA.
FACT:   Your EHR vendor may be able to provide information, assistance,and training on the privacy and security aspects of the EHR product. However, it is solely your responsibility to have a complete risk analysis conducted.

MYTH: A checklist will suffice for the risk analysis requirement.
FACT:   Checklists can be useful tools,, but they fall short of performing a systematic security risk analysis or documenting that one has been performed. Many practices are guilty of performing a “check the box” SRA and not taking the actual steps to prevent a security breach. A checklist approach is regarded by auditors as being just as bad as a missing risk assessment.

MYTH: My security risk analysis only needs to look at my EHR. 
FACT:  All electronic devices that store, capture, or modify electronic protected health information must be reviewed. This includes, but is not limited to: tablets, computers, cell phones, and even copiers/fax machines. 

MYTH: I only need to do a risk analysis once.
FACT:  To comply with HIPAA, you must continue to review, correct or modify, and update security protections.

Risk analysis is the first step in an organization’s HIPAA compliance efforts. Risk
analysis is an ongoing process that should provide the organization with a detailed
understanding of the risks to the confidentiality, integrity, and availability of e-PHI. 

Taking your security initiatives to the next level, Breadcrumb Cybersecurity moves your organization beyond compliance to actively defending against breach. Utilizing real-world strategies, Breadcrumb helps you protect your patients’ data, while ensuring you meet all HIPAA/MACRA regulatory requirements.

Breadcrumb Cybersecurity offers the only HIPAA, MU and MACRA/MIPS compliant SRA along with a practical and actionable comprehensive cyber review. Contact us today for a no-obligation consultation.