ServicesPhysician Practices

Physician practices

When the government asks, you hand them a current one.

HIPAA requires a current risk analysis on file, and it is the first thing the Office for Civil Rights asks for after an incident. I deliver and maintain that document, plus the controls behind it, so when OCR asks you hand them a current analysis instead of a problem, and the practice keeps seeing patients. This is a plan, not a compliance guarantee.

Proof beneath: HIPAA Security Rule 45 CFR 164.308(a)(1); OCR Risk Analysis Initiative.

Does HIPAA require a risk analysis?

Yes. The HIPAA Security Rule (45 CFR 164.308(a)(1)) requires every covered entity to conduct an accurate and thorough assessment of the risks to the confidentiality, integrity, and availability of electronic protected health information (Source: HHS, hhs.gov/hipaa). It is not optional, and it is not a one-time task. The analysis must be documented, reviewed, and updated as the practice changes.

Without a current one, you have no compliance baseline and no record of due diligence if an incident occurs or OCR investigates. The cost of not having it is not abstract. A small practice that cannot produce a risk analysis is exposed to an OCR resolution agreement, the legal and notification clock that runs after a breach, and a cyber-insurance claim that can be denied for missing the controls you said you had.

The document is cheap next to any one of those outcomes, and it is the foundation the rest of your security program stands on. Getting it on file now is the calm, inexpensive move.

What is the OCR Risk Analysis Initiative?

The HHS Office for Civil Rights enforces HIPAA, and its Risk Analysis Initiative is a focus on the single most common failing it sees: practices that cannot produce a current, documented risk analysis. A missing or inadequate risk analysis is one of the most frequent findings in OCR enforcement actions, and it is the specific gap the initiative was created to pursue (Source: HHS, hhs.gov/hipaa).

The practical reading is simple. If OCR comes to your practice, the first request is for your risk analysis. Having a current one turns the hardest question of an investigation into a document you hand over, instead of a finding against you. That is the whole point of doing this work before anyone asks.

What a current risk analysis must cover

What I review

  • Every system and application that touches electronic patient information
  • Workstations, laptops, mobile devices, and servers that reach ePHI
  • Network configuration, access controls, and audit logging
  • Email and any external channel patient information travels through
  • Backup and recovery, so an attack does not stop patient care
  • Written policies, workforce procedures, and training records
  • Vendors with access to patient data, and the BAA behind each one
  • Physical access to servers, devices, and paper at the practice

What you receive

  • A written risk analysis you can hand to OCR as your current one on file
  • A risk rating for each gap, scored by likelihood and impact
  • A prioritized fix list ordered by risk, not by what is easiest to sell
  • A specific recommendation for each finding, in plain language
  • A baseline you can review and update as the practice changes

The assessment uses the HHS Security Risk Assessment (SRA) tool and methodology, so it is structured, documented, and gives you something concrete to work from (Source: HHS, healthit.gov SRA tool).

What are the three threats to a practice?

Vendor and payroll fraud

A fake invoice or payroll change does not get paid

A criminal who has watched your email sends an altered invoice from a vendor, or a request to reroute a provider direct deposit, at the moment money is moving. Enforced email authentication, phishing-resistant MFA, and a callback to a number you already had on file keep the payment from clearing.

Carrier questionnaires

You can answer the cyber-insurance application honestly

Carriers now ask whether you enforce MFA, segment access to patient data, and keep tested backups before they will quote or pay a claim. The same controls behind your risk analysis are the ones the questionnaire asks about, so this work keeps you able to qualify, bind, and avoid a denied claim.

PHI in AI tools

Patient information does not leak into an AI tool

An ambient scribe or a chatbot that handles patient information is a vendor with access to PHI. It needs a Business Associate Agreement, a record of what it retains, and a workforce rule for what staff may paste into it. Governing AI tools the way you govern any other vendor keeps a convenience from becoming a breach.

How is this different from your current IT?

Typical break-fix ITThis offering
Fixes things when they breakOwns your HIPAA security posture year round
Generic small-business supportBuilt only for medical and financial offices
No risk analysis on fileDelivers the documented risk analysis OCR expects
"We signed a BAA, you are covered"Knows a BAA is the start, not the whole job

You keep ownership of your Microsoft tenant, your credentials, and your backups, with a documented runbook, so you are never locked in, including to me.

What this is not

  • Not a HIPAA certification. No third party certifies a practice as HIPAA compliant. Any vendor claiming to issue one is misrepresenting the rule.
  • Not a guarantee of compliance. A risk analysis identifies gaps and sets a baseline. It is a necessary part of a compliance program, not the end of one. Acting on the findings is the work that follows.
  • Not a federal audit. The assessment is conducted by Arain Systems, not HHS or OCR. The findings are yours, to improve your posture and document your effort.
  • Not a one-time fix. HIPAA requires the analysis to be reviewed and updated when the environment changes. Starting with a documented one is the right first step.

Common questions

Yes. The HIPAA Security Rule (45 CFR 164.308(a)(1)) requires every covered entity to conduct an accurate and thorough assessment of the risks to electronic protected health information. It is not optional, and it is not a one-time task. The analysis must be documented, reviewed, and updated as the practice changes. It is also the first document the Office for Civil Rights asks for after an incident or complaint.

Written by Hammad Arain, founder of Arain Systems. CCNA, CompTIA Security+, Microsoft AZ-104. Updated June 2026. Educational, not legal advice.

Get a free HIPAA risk-analysis review

I check where your practice stands against the HIPAA Security Rule, centered on whether you have a current risk analysis on file, then give you written findings. No commitment, yours to keep.

Get my free review