If you run a therapy practice, there is one compliance requirement you cannot skip: the HIPAA Security Risk Assessment. It is not a suggestion or a best practice. It is a federal mandate that applies to every covered entity handling electronic protected health information (ePHI), from large hospital systems down to solo practitioners working from home offices.
Yet according to HHS enforcement data, failure to conduct a proper risk assessment remains the most common HIPAA violation. Many therapists either skip it entirely, conduct a superficial review, or complete one assessment and never revisit it. This guide provides a comprehensive, step-by-step approach to conducting a thorough security risk assessment that satisfies HIPAA requirements and genuinely protects your practice.
What Is a HIPAA Security Risk Assessment?
A Security Risk Assessment (SRA) is a systematic examination of your practice's security measures to identify vulnerabilities that could compromise patient information. Think of it as a comprehensive health check for your practice's data security, where you evaluate every point where ePHI could be accessed, stored, transmitted, or potentially exposed.
The HIPAA Security Rule requires covered entities to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information." This is not a one-time checkbox. It is an ongoing process that must be revisited regularly and whenever significant changes occur in your practice.
Why Most Practices Get This Wrong
Many therapists treat the SRA as a form to fill out once and file away. This approach misses the point entirely. A proper assessment is not about paperwork. It is about genuinely understanding where your vulnerabilities exist and taking meaningful action to address them. The practices that face enforcement actions typically share one of three problems: they never conducted an assessment, they conducted a superficial review that missed obvious risks, or they identified risks but failed to take corrective action.
Common Mistakes to Avoid
- Treating it as a one-time event instead of ongoing process
- Copying a generic template without customizing for your practice
- Identifying risks but never creating an action plan
- Forgetting to reassess after adding new technology
- Not documenting the assessment process properly
Best Practices to Follow
- Schedule annual reviews with calendar reminders
- Walk through your actual workflow and systems
- Create action plans with specific deadlines
- Reassess immediately when adding new tools or staff
- Keep detailed records of findings and remediation
The Complete Risk Assessment Process
Conducting a thorough security risk assessment involves nine distinct steps. While this may seem extensive, each step builds on the previous one to create a complete picture of your security posture. For a solo practitioner, this process might take a full day. For group practices, plan for several days of focused work.
Step 1: Define Your Scope
Before diving into the assessment, clearly define what you are evaluating. This includes every system, device, location, and process that touches ePHI. For most therapy practices, this means your EHR system, practice management software, email, mobile devices, computers, cloud storage, backup systems, and even paper records that might be scanned or referenced electronically.
Do not forget about less obvious ePHI locations. Voicemail systems that store patient messages, text messaging apps (if you use them for scheduling), video conferencing platforms for telehealth, and even your smartphone if you access work email on it all fall within scope.
Step 2: Identify Where ePHI Lives
Create a comprehensive inventory of every location where electronic protected health information is created, received, maintained, or transmitted. This inventory becomes the foundation for your entire assessment. Be thorough here, as missed locations represent unexamined vulnerabilities.
Common ePHI Locations in Therapy Practices
When inventorying ePHI, do not overlook these frequently missed locations:
- - Email attachments and draft folders
- - Cloud storage services (Dropbox, Google Drive, iCloud)
- - Billing software and clearinghouse portals
- - Appointment reminder systems
- - Secure messaging platforms
- - Backup drives and archived data
- - Old computers or devices not yet properly wiped
Step 3: Identify Potential Threats
For each ePHI location, identify what could go wrong. Threats fall into several categories: natural disasters (floods, fires, power outages), human error (accidentally sending records to the wrong person, losing a device), malicious actors (hackers, ransomware, disgruntled employees), and system failures (hardware crashes, software bugs, data corruption).
Be specific rather than generic. Instead of writing "hacking," consider specific scenarios like "phishing email leads to compromised credentials" or "outdated software contains exploitable vulnerability." This specificity helps you develop targeted countermeasures.
Step 4: Assess Current Security Measures
Document what protections you already have in place. This includes technical safeguards like encryption, firewalls, and antivirus software. It also includes administrative safeguards like policies, training, and access controls. Physical safeguards matter too, such as locked offices, security cameras, and device storage procedures.
Be honest in this assessment. If you have a policy but nobody follows it, that policy is not providing real protection. If you have encryption enabled but use weak passwords, the encryption alone is insufficient. Document what actually happens in practice, not just what policies say should happen.
Step 5: Determine Likelihood and Impact
For each threat you identified, rate both how likely it is to occur and how severe the impact would be if it did. Many practices use a simple high-medium-low scale for both dimensions. A threat with high likelihood and high impact is a critical priority. A threat with low likelihood and low impact might be acceptable to address later.
Likelihood Factors
- High: Threat has occurred before or is common in healthcare
- Medium: Threat is possible and controls are incomplete
- Low: Threat is unlikely or strong controls exist
Impact Factors
- High: Large breach affecting many patients or sensitive data
- Medium: Limited breach or moderate operational disruption
- Low: Minimal data exposure or easily recoverable incident
Step 6: Calculate Risk Levels
Combine your likelihood and impact ratings to determine overall risk levels. Critical risks (high likelihood and high impact) demand immediate attention. High risks should be addressed within 30 days. Medium risks belong on your action plan with reasonable timelines. Low risks can be monitored and addressed as resources allow.
Step 7: Develop Your Risk Management Plan
For each identified risk, decide how you will handle it. You have four options: mitigate it by implementing additional controls, transfer it through insurance or vendor agreements, accept it after determining the risk is tolerable, or avoid it by eliminating the activity that creates the risk.
Most risks in therapy practices are mitigated through a combination of technology improvements, policy updates, and staff training. Document your decision for each risk and the rationale behind it. If you accept a risk, explain why the current controls are sufficient.
Step 8: Create Action Items with Deadlines
Transform your risk management decisions into specific, actionable tasks. Each action item should include what needs to be done, who is responsible, when it must be completed, and how you will verify it was effective. Vague commitments like "improve security" are useless. Specific items like "enable two-factor authentication on EHR by January 15" are actionable.
Step 9: Document Everything
Your documentation serves multiple purposes. It demonstrates compliance to auditors and regulators. It provides a baseline for future assessments. It creates accountability for follow-through on action items. Keep records of your assessment process, findings, decisions, and completed remediation activities.
Documentation Requirements
HIPAA requires you to retain documentation for six years from the date of creation or the date when the policy was last in effect, whichever is later. Your risk assessment documentation should be comprehensive enough that an auditor can understand what you evaluated, what you found, and what you did about it.
Required Documentation Elements
- Assessment date and reviewer information - Who conducted the assessment and when
- Scope of assessment - Systems, locations, and processes included
- ePHI inventory - Complete list of where patient data resides
- Threat and vulnerability identification - What could go wrong for each ePHI location
- Current security controls - Existing protections already in place
- Risk ratings - Likelihood and impact scores for each threat
- Risk management decisions - How each risk will be handled and why
- Action plan - Specific tasks, responsible parties, and deadlines
- Remediation tracking - Evidence that action items were completed
Common Vulnerabilities in Therapy Practices
After reviewing thousands of therapy practice security assessments, certain vulnerabilities appear repeatedly. Addressing these common issues will resolve the majority of risks in most practices.
High-Priority Vulnerabilities to Address
Weak or Reused Passwords
Use unique, complex passwords for every system. Implement a password manager to make this manageable.
Missing Two-Factor Authentication
Enable 2FA on your EHR, email, and any system containing ePHI. This single control prevents most unauthorized access.
Unencrypted Devices
Enable full-disk encryption on all computers, laptops, and mobile devices that access patient information.
Outdated Software
Keep operating systems, applications, and security software updated. Unpatched vulnerabilities are a primary attack vector.
No Backup Strategy
Implement automated, encrypted backups with regular testing. Ransomware attacks target practices without reliable backups.
When to Conduct a New Assessment
While annual assessments are the minimum standard, certain events should trigger an immediate reassessment. Adding new technology or software to your practice, hiring new staff members, changing physical locations, experiencing a security incident, receiving new information about threats targeting healthcare, or significantly changing your workflows all warrant a fresh look at your security posture.
Many practices find it helpful to conduct a brief quarterly review between annual comprehensive assessments. This lighter review confirms that action items are progressing, checks for any new risks, and ensures nothing has changed significantly enough to require a full reassessment.
Tools and Resources
HHS provides a free Security Risk Assessment Tool designed specifically for small and medium healthcare practices. While not mandatory to use, it provides a structured approach that covers all required elements. Commercial alternatives offer more features and support but are not necessary for compliance.
Regardless of which tool you use, the most important factor is thoroughness and honesty. A simple spreadsheet completed with genuine attention to your actual practices and vulnerabilities is more valuable than a sophisticated tool filled out superficially.
Frequently Asked Questions
How long should a security risk assessment take?
For a solo practitioner, plan for a full day of focused work. Group practices should allocate several days depending on size and complexity. Rushing through the assessment defeats its purpose and may leave significant vulnerabilities unidentified.
Can I conduct the assessment myself or do I need an outside expert?
Solo practitioners and small practices can absolutely conduct their own assessments. The key is thoroughness and objectivity. Larger practices or those with complex technology environments may benefit from outside expertise, but it is not required.
What if I find risks I cannot afford to fix immediately?
Document the risk, your decision to accept it temporarily, and your plan for eventual remediation. HIPAA recognizes that resources are limited. What matters is that you have thoughtfully considered the risk and have a reasonable plan to address it.
Does using HIPAA-compliant software mean I do not need an assessment?
No. Even with compliant software, you must assess your own practices, configurations, and the security of your broader technology environment. The software vendor handles their security, but you are responsible for how you use it and everything around it.
What happens if I am audited and have not done an assessment?
Failure to conduct a risk assessment is a direct HIPAA violation that can result in significant fines. In HHS enforcement actions, missing risk assessments are cited more frequently than any other single violation. The good news is that starting now still helps, even if past assessments were not completed.
Key Takeaways
- Security risk assessments are mandatory under HIPAA - not optional or recommended
- Conduct assessments annually at minimum, and immediately when significant changes occur
- Document everything thoroughly and retain records for six years
- Focus on common vulnerabilities first: passwords, two-factor authentication, encryption, and updates
- Create specific action plans with deadlines - identifying risks without addressing them is insufficient
- Using HIPAA-compliant software does not eliminate the need for your own assessment
Simplify Your HIPAA Compliance
TheraFocus is built with HIPAA security requirements in mind. Encryption, access controls, audit logging, automatic backups, and a Business Associate Agreement are all included. Focus on providing excellent therapy while we handle the compliance infrastructure.
Start Your Free TrialFound this helpful?
Share it with your colleagues
TheraFocus Team
HIPAA Compliance Specialists
The TheraFocus team is dedicated to empowering therapy practices with cutting-edge technology, expert guidance, and actionable insights on practice management, compliance, and clinical excellence.