If you run a small medical practice, dental office, or any HIPAA-covered organization, you've probably heard you need a Security Risk Assessment. Maybe your insurance asks. Maybe a patient threatened a complaint. Maybe you just got a letter from the Office for Civil Rights and your stomach dropped.
Here's what almost every small practice gets wrong: they treat the SRA like an antivirus license check. They write down "we have a firewall" and call it done.
OCR doesn't audit your antivirus. OCR audits whether you can show a documented, risk-based process that maps directly to 45 CFR § 164.308(a)(1)(ii)(A). The difference is the difference between a clean audit and a six-figure resolution agreement.
Below is the 8-page version that auditors actually accept, the gaps small practices miss most often, and how to do this without buying a $30K compliance platform.
What HIPAA actually requires
The Security Rule has three parts: Administrative, Physical, and Technical Safeguards. The Risk Assessment is the foundation — every other control flows from it.
The regulation says you must:
- Identify where electronic protected health information (ePHI) lives, moves, and is stored
- Identify reasonably anticipated threats to that ePHI
- Assess the likelihood and impact of each threat
- Determine what security measures are in place
- Document the results, and update them whenever something material changes
What it does not say: use a specific template, certify with a specific body, or pay anyone in particular. The rule is intentionally flexible — and that flexibility is exactly what trips up small practices.
The 8-page template that works
An auditor-defensible SRA for a small practice fits in eight pages. Not fifty. Not three. Eight.
Page 1: Scope and methodology
Who did this assessment, when, what methodology (NIST 800-30 is the most defensible reference), and what was in scope. One paragraph each. Sign and date.
Page 2: ePHI inventory
A table. Every system that creates, receives, transmits, or stores ePHI. Each row: system name, vendor, location (on-prem, SaaS, or hybrid), data sensitivity, BAA in place (yes/no, date), backup method, encryption at rest, encryption in transit.
This is the page small practices fail. They miss the texting app the front desk uses to remind patients. They miss the cloud fax that emails PDFs to staff inboxes. They miss the laptop the doctor takes home that has the EHR client installed.
Patient communication apps (Klara, Solutionreach, OhMD). Cloud fax (Updox, eFax). Backup services. Email archives. Old laptops still on the books. The personal phone the after-hours doctor uses. Every one of these is ePHI — and every one of these needs a BAA.
Page 3: Threat inventory
The threats you reasonably need to consider, by category. A typical list for a small practice:
- External: ransomware, phishing, credential theft, web app exploitation, supply chain compromise
- Internal: malicious insider, accidental disclosure, lost or stolen device, unauthorized access by terminated staff
- Physical: theft, fire, flood, power loss
- Technical: software vulnerability, system failure, backup failure
You don't need to enumerate every CVE. You need to show you considered the categories that apply to a practice like yours.
Page 4: Vulnerability assessment
The flip side of threats — your specific weaknesses. This is where you map your environment honestly. Examples:
- Server OS version is end-of-life and no longer receives patches (Windows Server 2012 R2)
- Three staff members share a single Office 365 license (audit trail unreliable)
- MFA enabled but not enforced; only 6 of 12 staff have enrolled
- Backup runs nightly to a NAS in the office; off-site copy is a USB drive rotated monthly
- No documented termination procedure for revoking system access
If you can't write specific items here, you haven't done the assessment.
Page 5: Risk register
The combination of threat + vulnerability + asset, scored. A simple 3x3 grid (Low/Medium/High for likelihood, Low/Medium/High for impact) is enough for an auditor. NIST 800-30 has the framework if you want to be formal about it.
For each high-risk item, write the mitigation in plain English. "Enforce MFA on all M365 accounts via Conditional Access policy by July 1." Specific. Dated. Accountable.
Page 6: Existing safeguards
What you already have. Don't be modest — list everything. Antivirus, firewall, EDR, MFA (with caveats from page 4), backup software, BAAs in place, training cadence, physical access controls, locked file cabinets, password policy, screen lock timeout. Every safeguard is a defense in your favor.
Page 7: Action plan
Open items from page 5, owners, dates, status. This is the page OCR reads first if they audit you, because it tells them whether you treated the SRA as paperwork or as a real process.
A few "in progress" items is fine — even good. It shows the SRA is a living document. A bunch of "TBD" items two years after the assessment is the kind of thing that gets cited.
Page 8: Sign-off
Privacy Officer, Security Officer, practice owner, and any external advisor. Date. Next review date (annually, or sooner if something material changes — new EHR, new location, new vendor, breach, regulation change).
The gaps small practices miss
The Notice of Privacy Practices is not the same as the SRA. NPP is patient-facing; SRA is operational. Auditors ask for both.
BAAs with everyone who touches ePHI. Your cloud backup vendor. Your IT support vendor. Your shredding company. Your patient communication app. Your accountant if they ever see EOBs. Yes, all of them.
Sanction policy. The Security Rule requires a written policy for how you discipline staff who violate HIPAA. "We'd fire them" isn't enough — write it down.
Annual training, documented. One-time onboarding training doesn't satisfy the rule. Annual, all staff, signed acknowledgments retained.
Incident response plan. Required by 45 CFR § 164.308(a)(6). What you do when ePHI is suspected to have been disclosed. Who decides. Who notifies. What forensic steps are taken. What you tell patients.
Workforce access reviews. Quarterly minimum. Who has access to what. Who left? Did you actually revoke their access on the last day? (We find unrevoked accounts in about half the practices we audit.)
What it costs to do this right
You can do it yourself if you have the time and the discipline. HHS provides a free Security Risk Assessment Tool at hhs.gov/hipaa/for-professionals/security/guidance/sra-tool. It's clunky, but it's defensible.
Or you can pay a security firm to do it for you. Quality engagements run $5K-$15K for a typical small practice. Higher if you're multi-site or have unusual systems. Walk away from anyone offering an SRA for under $1,500 — they're selling you a checklist, and OCR can tell.
For HIPAA-covered clients, the SRA is included in our managed service. We update it annually, after material changes, and any time you're entering a renewal cycle for cyber insurance or a payer contract. The deliverable is yours; you can hand it to your attorney or to OCR directly.
If you've never done one — start anyway
Practices we work with often haven't done a real SRA in five years. The fear of "we'll find something bad" keeps them from starting. Here's the truth: OCR knows you have gaps. Every covered entity does. What they want to see is that you're actively managing them.
The worst SRA — an honest one, with real findings, real owners, and real dates — is infinitely better than no SRA, or a perfect-looking one that doesn't match reality.
Block out an afternoon. Pull the eight pages above into a Word doc. Start filling them in with what you actually have. Be honest. Be specific. Sign and date it.
You're now further ahead than 70% of practices your size.
Want this audited for your environment?
A 30-minute call. We'll tell you what's already solid, what needs work, and what we'd charge. No deck. No pressure.