Skip to main content

HIPAA Security Risk Assessment

The SRA your
assessor actually
expects.

Required under 45 CFR 164.308(a)(1). Most Business Associates don't have one. The Office for Civil Rights cites it in nearly every enforcement action. We've delivered hundreds. Ours hold up.

Book a Conversation
16+
Years delivering HIPAA compliance programs for covered entities and business associates
Zero
Reportable breaches across all client engagements over 16 years as a practicing CISO
Fixed
Fixed-scope engagement — cost, timeline, and deliverables defined before we start
45 CFR
164.308(a)(1) — the federal mandate requiring every covered entity and BA to complete an SRA

The Legal Requirement

This is not
optional.

The HIPAA Security Rule requires every covered entity and business associate to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. That requirement lives at 45 CFR 164.308(a)(1)(ii)(A) and it applies to you if you touch ePHI — regardless of company size.

Most small and mid-size Business Associates don't have one. They've signed BAAs with hospital systems, health plans, and clinics. They process patient data daily. And they've never documented a formal risk analysis. The OCR knows this. It's the first thing they ask for.

When a breach happens — or when OCR audits — the absence of an SRA is not a technicality. It is the primary violation. Penalties for willful neglect start at $10,000 per violation and can reach $1.9 million per category per year.

45 CFR 164.308(a)(1)(ii)(A)

"Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate."

A SOC 2 report does not satisfy your HIPAA SRA obligation. Neither does a security questionnaire, a penetration test, or a vendor-provided compliance checklist. These are different instruments designed for different purposes. Confusing them is one of the most common and costly mistakes we see.

The SRA is the foundation. Every other safeguard in the HIPAA Security Rule — access controls, audit logs, encryption, incident response — is built on top of a documented risk analysis. Without it, you have controls without a rationale. OCR will find that gap.

The 2026 HIPAA Security Rule updates raise the bar further: encryption at rest and in transit and multi-factor authentication for any system touching ePHI move from addressable to required. Organizations that haven't run an SRA recently need one now — the regulatory environment has changed.

Who This Is For

If you sign BAAs,
you need this.

We built this assessment specifically for companies that handle ePHI on behalf of covered entities — not for large health systems with internal GRC teams.

Common target

Healthcare SaaS companies

You've signed your first hospital contract. You're handling patient data. You don't have a dedicated compliance officer. This is exactly who we built this for.

Common target

Medical billing & RCM firms

You process claims, verify benefits, and handle ePHI across dozens of covered entity clients. Every BAA you've signed creates a separate SRA obligation.

Common target

Telehealth technology vendors

Your platform transmits clinical data between patients and providers. That ePHI exposure requires a documented risk analysis — regardless of your team size.

Common target

Healthcare staffing agencies

Your workforce accesses patient records inside covered entity systems. That access creates a business associate relationship and a corresponding SRA requirement.

Common target

AI & ambient scribe vendors

Your product processes real-time clinical conversations and generates documentation inside EHRs. That's ePHI — and an AI risk assessment should accompany your SRA.

Common target

Healthcare IT & MSPs

You manage infrastructure, cloud environments, or end-user devices for hospitals and clinics. Your BAA makes you a business associate. Your SRA is overdue.

The Assessment

What you get.
What it covers.

  • 01

    ePHI Asset Inventory

    A complete inventory of every system, application, and workflow that creates, receives, maintains, or transmits ePHI — mapped to your environment, not a generic template.

  • 02

    Threat & Vulnerability Analysis

    Identification and documentation of threats and vulnerabilities to each ePHI asset, evaluated against your current technical, administrative, and physical safeguards.

  • 03

    Risk Ratings & Register

    Every identified risk rated by likelihood and impact using NIST SP 800-30 methodology. A prioritized risk register that drives your remediation decisions, not a spreadsheet you'll never open again.

  • 04

    OCR-Defensible Documentation

    Written documentation of the assessment methodology, scope, findings, and risk decisions — structured to satisfy OCR audit requests and demonstrate good-faith compliance.

  • 05

    Remediation Roadmap

    A prioritized, time-bound plan aligned to your risk ratings, with assigned ownership and defined success criteria. Not a list of recommendations — an actionable program.

Why it matters who delivers it

An SRA is only as defensible as the methodology behind it. Software-generated assessments from $25/month platforms produce documentation. They do not produce judgment.

I spent 16 years as Founder and CISO of ClearDATA — the healthcare cloud security company — without a single reportable breach across a customer base that included major health systems, health plans, and hundreds of business associates. I've sat across the table from OCR investigators. I know what they look for and what fails under scrutiny.

What you're buying from Bowen & Company is not a PDF. It's the risk judgment of someone who has lived inside this program at scale.

— Chris Bowen, Founder & CEO

Common Questions

What organizations
ask us first.

Every covered entity and business associate that creates, receives, maintains, or transmits electronic protected health information (ePHI) is required under 45 CFR 164.308(a)(1). This includes any company that signs a Business Associate Agreement — healthcare SaaS vendors, medical billing firms, staffing agencies, telehealth platforms, healthcare IT providers, and AI tools with clinical data access. Company size is not a factor. The requirement applies equally to a 5-person startup and a 500-person enterprise.
They are not interchangeable. A HIPAA SRA is a federally mandated risk analysis required by law. SOC 2 is a voluntary attestation framework — valuable for enterprise sales, but it does not satisfy your HIPAA SRA obligation. A SOC 2 Type II report will not protect you in an OCR enforcement action if you don't also have a documented risk analysis. We see this confusion constantly, and it's expensive when it surfaces under audit.
Bowen & Company delivers HIPAA SRAs as fixed-scope engagements — cost, timeline, and deliverables are defined before we start. We don't bill by the hour and there are no surprises. Book a conversation and we'll scope your environment and give you a number in the first call.
The HIPAA Security Rule requires an updated risk analysis whenever a material change occurs — new technology, new vendor relationships, new ePHI workflows, an incident, or a regulatory change. OCR has consistently signaled in resolution agreements that annual review is the floor. The 2026 HIPAA Security Rule updates constitute a regulatory change that triggers an obligation for every covered entity and business associate to refresh their analysis.
Yes. The requirement does not include a size exemption. In fact, small companies are disproportionately targeted in OCR enforcement because they're more likely to lack documentation. Beyond compliance, your hospital or health system customers are increasingly asking for SRA documentation as part of vendor security reviews. Not having one is a sales obstacle as much as a compliance gap. A conversation with us takes 30 minutes and costs nothing — the risk of not having an SRA is far higher.
Yes. For organizations deploying AI tools that touch ePHI — ambient scribes, clinical decision support, AI-powered billing platforms — we offer a combined HIPAA SRA and AI Risk Assessment. The AI layer evaluates shadow AI exposure, model inventory, ePHI pathways through AI systems, and governance baseline. Many health tech companies need both. We deliver them as an integrated engagement.

Get Started

Let's get you
covered.

A 30-minute conversation is enough to scope your SRA and tell you exactly what you need. No sales process. No proposal theater. We either fit or we don't — and we'll tell you which.

01

Book a conversation. 30 minutes to scope your environment and confirm fit.

02

Receive a fixed-scope proposal. Price, timeline, and deliverables defined upfront. No surprises.

03

Complete the assessment. Typically 2–4 weeks depending on complexity. OCR-defensible documentation delivered.

Book a Conversation

Need ongoing coverage after this assessment?

Bowen & Company delivers the one-time assessment. Named CISO picks up from there with a retained CISO relationship.

Explore Named CISO →