Aegis AI
← All guides

The HIPAA Security Risk Analysis: the first document auditors ask for

Aegis AI™ · Updated July 2026

Most HIPAA obligations give you some room to decide how to meet them. The Security Risk Analysis is not one of them. 45 CFR §164.308(a)(1)(ii)(A) classifies it as Required: every covered entity and every business associate must conduct it, document it, and keep it current. When OCR investigates a breach or runs an audit, the risk analysis is among the first documents requested, and risk-analysis failures appear repeatedly in OCR enforcement actions.

If you cannot produce yours, dated and complete, this guide is for you.

Who needs one (more organizations than expect it)

What the analysis must actually contain

OCR's guidance describes the required elements. A defensible SRA works through, in writing:

  1. Scope: where ePHI is created, received, maintained, and transmitted across your environment, including vendors.
  2. Threats and vulnerabilities: what could plausibly go wrong for each place ePHI lives or moves.
  3. Current safeguards: what protections exist today, mapped against the Security Rule's administrative, physical, and technical safeguards.
  4. Likelihood and impact: a documented risk rating for each threat-vulnerability pair, not a gut feeling.
  5. Documented results: the findings, prioritized, with the follow-on risk-management plan §164.308(a)(1)(ii)(B) requires.

The "Addressable" trap. Some Security Rule safeguards are labeled Addressable, and it is the most misread word in HIPAA. Addressable does not mean optional. It means implement the safeguard, or document a reasoned alternative and why it is equivalent. An SRA that silently skips Addressable items reads as incomplete to any reviewer.

Point in time, then kept alive

The SRA is a point-in-time analysis, and HHS expects it to be reviewed and updated as your environment changes, and periodically regardless. New EHR, new vendor, new location, new integration: each one is a reason to revisit. The practical pattern that works: produce the documented analysis, work the risk-management plan, and put posture monitoring on a schedule so the next update is a refresh rather than a restart.

Three ways to get it done

Common questions

Is a gap assessment the same as a risk analysis? No. A gap assessment compares you to a checklist; the SRA is the documented threat-vulnerability-likelihood-impact analysis the regulation names. Auditors ask for the SRA specifically.

We did one years ago. Are we covered? An SRA that predates your current systems describes an environment you no longer run. Reviewers read the date first.

Does a completed SRA make us HIPAA compliant? No single document does. The SRA is the required foundation the rest of your program builds on, and the follow-on risk-management plan is where compliance work actually happens. If HIPAA is one of several frameworks you face, see how one control baseline serves multiple frameworks.

The document HIPAA requires, done and documented: every safeguard accounted for, prioritized risks, and a 90-day plan, in your inbox.

Get the $995 Security Risk Analysis → Or run the free gap check first →

Aegis AI™ is a vCISO platform delivered as Agent-as-a-Service by ElasticD3M, LLC. Aegis AI is not a law firm and does not provide legal advice; the Security Risk Analysis is a compliance work product prepared from your intake, not an attestation or audit, and no document alone establishes HIPAA compliance. Audits and attestations are performed by independent firms. This article is general information. ElasticD3M, LLC is a Texas limited liability company. Patent Pending.