The Most Common HIPAA Gap Is Also the Most Visible
If you ask a roomful of small-practice administrators whether they have a current HIPAA Security Risk Analysis on file, somewhere between a quarter and a half will quietly say no. They are not bad operators. They are running a business with twelve people, three vendors, a billing company, and a state inspector who is more interested in OSHA. The Security Rule risk analysis just keeps sliding to next quarter.
The problem with "next quarter" is that the moment a covered entity, a payer, or OCR asks for evidence, the gap is the first thing they see. "No current risk analysis" is one of the most commonly cited Security Rule findings, and it is also one of the most expensive. Several of the largest HIPAA settlements over the past decade have leaned heavily on this single missing artifact.
The good news: you do not need to be done. You need to be visibly in progress, with a defined scope, named owner, and credible documentation trail. That alone changes the conversation. Here is the one-week plan to get there.
Day 1 (Monday): Write the Memo
Before anything else, write a one-page internal memo. It says: "An updated Security Risk Analysis is being initiated. Scope: all systems and locations that handle PHI. Owner: [name]. Target completion: [date 30–60 days out]. Status reports: weekly." Date it. Sign it.
This is not paperwork theater. It is the first artifact in the file. If anyone asks tomorrow where you stand on a HIPAA risk assessment, the answer is no longer "we have not done one" — it is "we initiated one on Monday and here is the memo." That is a different posture entirely.
Day 2 (Tuesday): Define the Scope
Open a spreadsheet or a document and list every system, location, vendor, and workforce role that touches ePHI. Be deliberately wide on the first pass; you can narrow later. Common categories:
- Clinical systems: EHR, e-prescribing, lab interfaces, telehealth platforms.
- Administrative systems: scheduling, billing, clearinghouse, patient portal, payment processing.
- Productivity systems: email, file sharing, calendar, fax services, secure messaging.
- Endpoints: workstations, laptops, mobile devices, printers, scanners, kiosks.
- Network & infrastructure: firewall, Wi-Fi, backups, remote access, VPN.
- Vendors: EHR vendor, billing company, IT/MSP, transcription, shredding, cloud storage.
- Workforce roles: providers, front desk, billers, medical assistants, remote staff.
Without an explicit scope, the assessment will drift and never end. With a written scope, you have a finish line.
Day 3 (Wednesday): Inventory ePHI Flows
Walk through how ePHI enters, moves, is stored, and leaves the organization. This is the single most useful exercise in a risk analysis because it surfaces the surprises — the personal phone that handles secure messages, the front-desk inbox that occasionally gets faxes, the cloud folder that no one remembers creating.
For each flow, write down: source, destination, transport mechanism (encrypted? in transit? at rest?), retention, who has access. Half a day is enough for a small practice.
Day 4 (Thursday): Run a Guided Assessment
Do not start a risk analysis from a blank document. Either use a guided platform — HIPAA risk-assessment software walks you through the Security Rule requirements with built-in questions and scoring — or engage a qualified consultant.
The structure should match the HIPAA Security Rule sections: administrative safeguards, physical safeguards, technical safeguards, organizational requirements, and policies/procedures/documentation. For each question, capture: current state, likelihood, impact, residual risk, and proposed action.
Day 5 (Friday): Triage and Assign
By Friday, you should have a draft findings list. Sort by severity. For each finding, assign an owner and a target date. The remediation plan is the second half of risk management and the one auditors actually look for. A risk analysis with no remediation tracking is, for audit purposes, a half-done program. A remediation plan template with worked examples can save you a day on this step.
Three findings will probably stand out: vendors with no current BAA, endpoints with no verified encryption, and audit logs that have never been reviewed. Those are the most common high-severity gaps in small practices, and addressing them buys you outsized risk reduction.
Day 6–7 (Weekend or Following Monday): Centralize the Documentation
Pull everything you have produced — the memo, the scope, the ePHI inventory, the assessment, the findings, the remediation plan — into one place. Physical binder, shared drive, or compliance platform; the medium does not matter as long as everything is dated, owned, and findable. A 10-tab binder structure works for paper, digital, and platform-based programs.
The HIPAA Security Rule requires required documentation to be retained for at least six years. Version every document with its date and review history. An undated artifact is weak evidence.
What "Done" Looks Like
At the end of the week, you should be able to answer four questions on demand:
- Do you have a current Security Risk Analysis? "Yes, dated this week, scope and methodology in the file."
- What did you find? "Twenty-seven findings, prioritized by severity, with owners and target dates."
- What are you doing about it? "Five highest-severity items are in remediation now. Here is the tracker."
- How will we know it is staying current? "Annual full refresh, quarterly mini-audit, off-cycle reviews after major changes."
That posture is the difference between "we are out of compliance" and "we are actively managing risk." OCR investigators, covered-entity due diligence teams, and cyber insurers all read those two stances very differently.
Why the Quarterly Cadence Matters
A one-week sprint gets you back on the map. A quarterly cadence keeps you there. Once the initial SRA is in place, a 90-minute quarterly mini-audit catches drift — expired BAAs, ex-employee accounts that were never disabled, training certificates that lapsed — long before an annual reassessment would.
The mini-audit also gives you a forcing function. Practices that put it on a recurring calendar consistently outperform practices that "review compliance when we get a chance." The latter never get a chance.
Talk to Us
If you are starting from zero on a HIPAA Security Risk Analysis, you should not have to interpret every Security Rule requirement from a blank document. HIPAA Security Suite gives you a guided assessment, remediation tracking, vendor/BAA management, network security visibility, and audit-ready reporting in one workspace — the platform answers the four questions above on demand.
Schedule a walkthrough or take our 3-minute readiness quiz first to see where the biggest gaps are. The week you spend on this is the cheapest insurance you will buy all year.