| Key Takeaways |
| The Security Risk Analysis (SRA) is a mandatory, unscored prerequisite for MIPS Promoting Interoperability. Failure to attest YES results in a zero score for the entire PI category, regardless of performance on other measures. |
| 76% of all HIPAA enforcement actions in 2025 included a penalty for risk analysis failures, making it the single most common reason for OCR financial penalties against healthcare organizations. |
| OCR resolved 21 HIPAA violation cases in 2025 and collected $8.33 million in penalties. Healthcare breaches cost an average of $7.42 million per incident (IBM 2025 Cost of a Data Breach Report). |
| The SRA must assess risks to all ePHI that the organization creates, receives, maintains, or transmits, covering administrative, physical, and technical safeguards under 45 CFR 164.308(a)(1). |
| The analysis must be unique for each MIPS performance period, cover the full performance period scope, and be completed within the calendar year (January 1 through December 31). |
| OCR confirmed that 2026 enforcement priorities will expand from risk analysis to include risk management, meaning organizations must demonstrate not just that risks were identified but that they were actively treated and reduced. |
| Nearly 57 million individuals were affected by healthcare data breaches in 2025, with at least 642 large breaches reported to OCR, reinforcing why the SRA is both a compliance requirement and a business necessity. |
In 2025, 76% of all HIPAA enforcement actions included a penalty for risk analysis failures, per the HIPAA Journal’s 2025 Healthcare Data Breach Report. OCR resolved 21 cases and collected $8.33 million in penalties, with risk analysis noncompliance as the dominant finding.
Nearly 57 million individuals were affected by healthcare data breaches during the year. These numbers make one thing clear: the security risk analysis is not a paperwork exercise.
Organizations that skip it or perform it superficially face both regulatory penalties and real security vulnerabilities that threat actors will exploit.
The security risk analysis (SRA) is a mandatory requirement for MIPS Promoting Interoperability and the HIPAA Security Rule. This article provides a step-by-step guide to conducting an SRA that satisfies both requirements, grounded in risk assessment methodology that practitioners can implement immediately.
The framework connects the SRA to broader enterprise risk management principles, turning a compliance obligation into genuine security improvement.
What the MIPS Security Risk Analysis Actually Requires
MIPS (Merit-based Incentive Payment System) is the value-based payment model under MACRA for eligible healthcare providers.
The Promoting Interoperability (PI) performance category, worth 25% of the MIPS final score for 2025, requires clinicians to attest YES to conducting or reviewing a security risk analysis.
Per CMS’s 2025 measure specifications, the SRA is an unscored measure, but failure to attest YES results in a zero score for the entire PI category, regardless of other measure performance.
MIPS SRA Requirements Summary
| Requirement | Specification | Consequence of Non-Compliance |
| Attestation | YES/NO attestation that SRA was conducted or reviewed and security updates implemented | Attesting NO or failing to attest results in 0 points for entire Promoting Interoperability category |
| Regulatory Reference | 45 CFR 164.308(a)(1) under the HIPAA Security Rule | MIPS does not impose additional requirements beyond HIPAA; compliance with HIPAA satisfies MIPS |
| Scope | All ePHI created, received, maintained, or transmitted, including all forms of electronic media | Must cover EHR, network infrastructure, cloud services, telehealth, backups, endpoints, medical devices, and vendor access to ePHI |
| Timing | Must be unique for each performance period; must be conducted within the calendar year (Jan 1 – Dec 31) | Analysis may be conducted outside the PI performance period but must cover the full performance period scope |
| Actions Required | Conduct or review SRA; implement security updates; correct identified security deficiencies | Must demonstrate a plan for correcting deficiencies and evidence that steps are being taken |
| SAFER Guides (2025) | Conduct annual self-assessment using the High Priority Practices Guide | Must attest YES to completing the SAFER Guides self-assessment; a NO response fails the measure |
The critical distinction: the SRA is not a standalone MIPS requirement. The parameters are defined by the HIPAA Security Rule at 45 CFR 164.308(a)(1).
MIPS simply requires you to attest that you have performed what HIPAA already mandates. This means the SRA should evaluate all three categories of HIPAA safeguards: administrative, physical, and technical.
Organizations that treat it as a narrow EHR exercise are setting themselves up for both MIPS attestation failure and HIPAA enforcement risk.
The HIPAA Security Rule Foundation
The HIPAA Security Rule establishes national standards for protecting ePHI. The SRA required under both HIPAA and MIPS must evaluate the organization’s implementation of safeguards across three categories.
Understanding these categories is essential for scoping the analysis correctly and connecting it to your organization’s broader compliance risk assessment program.
HIPAA Safeguards Framework
| Safeguard Category | What It Covers | SRA Assessment Focus |
| Administrative Safeguards | Security management processes; workforce security; information access management; security awareness training; security incident procedures; contingency planning; evaluation; business associate agreements | Risk analysis and risk management policies; workforce training records; access authorization procedures; incident response plan; business continuity and disaster recovery plans; BA contract compliance |
| Physical Safeguards | Facility access controls; workstation use and security; device and media controls | Building security and visitor restrictions; locked server rooms; workstation placement and screen privacy; device encryption; media disposal procedures; equipment inventory |
| Technical Safeguards | Access controls; audit controls; integrity controls; person or entity authentication; transmission security | Unique user identification; emergency access procedures; automatic logoff; encryption at rest and in transit; audit logging and monitoring; authentication mechanisms; ePHI integrity verification |
Healthcare breaches cost an average of $7.42 million per incident in 2025, according to IBM’s Cost of a Data Breach Report.
That figure makes the SRA not just a regulatory requirement but a financial imperative. Organizations that perform thorough risk analyses and remediate identified vulnerabilities reduce both their regulatory exposure and their breach probability.
The connection to risk treatment principles is direct: identify the risk, assess its severity, and implement proportional controls.
How to Conduct a Security Risk Analysis: Step by Step
The following process aligns with the HHS Office for Civil Rights guidance on security risk analysis, the NIST Cybersecurity Framework, and the risk management process that practitioners already follow under ISO 31000. Practitioners looking for an older, asset-based alternative can also review our guide to the CRAMM risk assessment method.
SRA Process Summary
| Step | Actions | Key Outputs | Tools and Resources |
| 1. Define Scope | Identify all systems, applications, and locations where ePHI is created, received, maintained, or transmitted; include EHR, network, cloud, telehealth, mobile devices, paper-to-digital conversion points, and business associates | ePHI asset inventory; data flow diagram showing how ePHI moves through the organization; list of business associates with ePHI access | HHS Security Risk Assessment Tool; network diagrams; EHR system documentation; BA agreements inventory |
| 2. Identify Threats and Vulnerabilities | Catalog threats (ransomware, phishing, insider threat, hardware failure, natural disasters, unauthorized access) and vulnerabilities (unpatched systems, weak passwords, lack of encryption, inadequate training, physical access gaps) | Threat catalog mapped to assets; vulnerability inventory from scanning and assessment; threat-vulnerability pairing matrix | NIST SP 800-30 threat sources; vulnerability scanning tools; penetration test results; prior incident history; HIPAA Journal breach data |
| 3. Assess Current Controls | Evaluate existing administrative, physical, and technical safeguards against HIPAA requirements; document control design and operating effectiveness; identify gaps where safeguards are missing or inadequate | Control inventory mapped to HIPAA safeguard requirements; gap analysis showing missing or weak controls; control effectiveness ratings | HIPAA Security Rule checklist (45 CFR 164.308, .310, .312); NIST CSF mapping; prior audit findings |
| 4. Determine Risk Levels | For each threat-vulnerability pair, assess the likelihood of exploitation and the potential impact on ePHI confidentiality, integrity, and availability; assign risk levels (high, medium, low) | Risk register with likelihood, impact, and risk level for each identified risk; risk heat map visualization; prioritized risk list | Risk assessment matrix; qualitative 5×5 rating scale; quantitative methods for highest-impact risks |
| 5. Develop Remediation Plan | For each risk above tolerance, define specific corrective actions with owners, timelines, and success criteria; prioritize by risk level; document compensating controls for risks that cannot be immediately remediated | Remediation action plan with SMART objectives; compensating controls documentation; budget estimates for major remediation items | Project management templates; CAPA tracking system; vendor quotes for security solutions |
| 6. Document and Attest | Compile the complete SRA documentation package; ensure it covers the full MIPS performance period scope; prepare for attestation; retain documentation for a minimum of 6 years per HIPAA retention requirements | Complete SRA documentation package; attestation-ready evidence; retention schedule; management sign-off | SRA report template; MIPS attestation portal; document management system |
Common SRA Deficiency Areas Flagged by OCR
OCR’s enforcement patterns reveal where organizations most commonly fail. The 2025 enforcement data shows that risk analysis is the foundational issue.
A healthcare provider in Syracuse, New York was investigated over a 2021 ransomware attack and was unable to provide evidence that it had ever conducted a risk analysis. The settlement included a $250,000 penalty plus a corrective action plan.
Understanding where others fail helps you focus your SRA on the areas most likely to draw regulatory scrutiny. The connection to internal audit risk assessment principles is direct: focus assurance activities where the risk of deficiency is highest.
OCR Enforcement Focus Areas
| Deficiency Area | What OCR Looks For | How to Avoid It |
| No risk analysis conducted | Organization cannot produce evidence that any formal SRA has been performed | Conduct and document the SRA annually at minimum; retain all evidence for 6+ years; use a structured tool like the HHS SRA Tool |
| Incomplete scope | SRA covers only the EHR system but misses network infrastructure, mobile devices, cloud services, telehealth platforms, or business associate access | Map all ePHI data flows before starting; include every system and location where ePHI is created, received, maintained, or transmitted |
| No remediation of identified risks | SRA identifies vulnerabilities but no action plan exists to address them | Create a remediation plan with assigned owners, due dates, and evidence of implementation for every risk above tolerance |
| Breach notification delays | Organization discovers a breach but fails to notify OCR and affected individuals within 60 days | Establish a breach response protocol with defined timelines; test the notification process before an actual breach occurs |
| Missing business associate oversight | ePHI shared with vendors without appropriate BA agreements or security assessment of vendor practices | Maintain a complete BA inventory; require security assessments for all BAs; include SRA scope language in BA agreements |
| Insufficient workforce training | Staff unaware of security policies, phishing threats, or proper ePHI handling procedures | Conduct security awareness training at onboarding and annually; document training completion; test with phishing simulations |
Connecting SRA to Enterprise Risk Management
The SRA should not operate as a standalone compliance exercise. Organizations that integrate their SRA into their broader enterprise risk management framework gain two advantages: the SRA findings feed into the enterprise risk register (giving leadership visibility into cybersecurity risk alongside financial and operational risks), and the ERM program’s governance structure provides the accountability and monitoring mechanisms that the SRA itself requires.
The Three Lines Model applies directly: first-line clinical and IT staff own ePHI controls; second-line compliance and privacy officers set policies and monitor; third-line internal audit provides independent assurance over the SRA process.
SRA–ERM Integration Points
| ERM Component | SRA Connection | KRI Example | Board Reporting Output |
| Risk identification | ePHI threat and vulnerability identification feeds enterprise risk register | Number of unpatched critical vulnerabilities; phishing simulation failure rate | Cybersecurity risk heat map with ePHI exposure highlighted |
| Risk analysis | Likelihood and impact assessment of ePHI risks using standard risk matrix | Average risk score trend across SRA findings; percentage of high-risk findings | SRA risk level distribution (high/medium/low) with year-over-year trend |
| Risk treatment | Remediation action plans for SRA findings become control implementations in ERM | Remediation closure rate; average days to close critical SRA findings | Open SRA remediation items by severity; closure progress dashboard |
| Risk monitoring | Continuous monitoring of ePHI controls through KRI tracking and automated alerting | Unauthorized access attempt frequency; encryption coverage percentage; training completion rate | Quarterly ePHI security KRI dashboard with threshold breach alerts |
Implementation Roadmap
| Phase | Actions | Deliverables | Success Metrics |
| Days 1–30: Scope and Assess | Inventory all ePHI systems, applications, and data flows; identify all business associates with ePHI access; catalog threats and vulnerabilities; assess current safeguards against HIPAA requirements; perform gap analysis | ePHI asset inventory and data flow diagram; business associate registry; threat-vulnerability matrix; current controls inventory; gap analysis report | 100% of ePHI-touching systems inventoried; all BAs identified; gaps documented against all three HIPAA safeguard categories |
| Days 31–60: Analyze and Remediate | Assign risk levels to all identified risks; prioritize remediation by risk level; develop corrective action plans for all high and medium risks; begin implementing quick-win remediations; configure monitoring for critical ePHI controls | Completed risk register with risk levels; prioritized remediation plan with owners and timelines; quick-win implementations documented; monitoring configured for top 10 ePHI controls | All risks rated and prioritized; remediation plans approved for all high risks; quick wins producing measurable improvement; monitoring operational for critical controls |
| Days 61–90: Document and Operationalize | Complete all SRA documentation; prepare attestation evidence; conduct staff security awareness refresher training; test incident response procedures; establish quarterly SRA review cadence; deliver first management SRA report | Complete SRA documentation package; attestation-ready evidence; training completion records; incident response test results; quarterly review schedule; management SRA report | SRA documentation covers full MIPS performance period scope; 100% of staff trained; incident response tested; management report delivered; attestation ready |
Common Pitfalls and How to Avoid Them
| Pitfall | Root Cause | Remedy |
| Treating the SRA as an annual checkbox rather than ongoing risk management | Compliance-driven mindset that focuses on attestation rather than actual security improvement | Embed the SRA into the organization’s continuous risk management cycle; conduct interim reviews when systems change, incidents occur, or new threats emerge |
| Limiting scope to the EHR system only | Misunderstanding of HIPAA’s requirement to cover all ePHI, not just the certified EHR technology | Map all ePHI data flows before starting; include network infrastructure, cloud services, telehealth platforms, mobile devices, paper-to-digital processes, and BA systems |
| Identifying risks without remediating them | SRA conducted but findings sit in a report without action; OCR now expanding enforcement to include risk management (not just risk analysis) | Create a remediation plan for every risk above tolerance; assign owners and deadlines; track progress; report completion to management |
| Using a generic template without customization | One-size-fits-all SRA templates downloaded from the internet without tailoring to the organization’s specific environment, systems, and threat landscape | Start with the HHS SRA Tool or NIST framework but customize every element to your specific practice: your systems, your workflows, your threats, your vulnerabilities |
| No documentation retention | SRA completed verbally or informally without creating auditable records; documentation discarded or lost | Retain all SRA documentation for a minimum of 6 years per HIPAA requirements; use a document management system with version control and access logging |
| Ignoring business associate risk | ePHI shared with billing companies, cloud providers, EHR vendors, and other BAs without assessing their security posture | Include BA security assessment in SRA scope; review BA agreements for HIPAA compliance; require evidence of BA’s own SRA or equivalent security certification |
Looking Ahead: SRA Enforcement Trends for 2026–2028
OCR has confirmed that 2026 enforcement priorities will expand the risk analysis initiative to include risk management.
This shift means that demonstrating you identified risks is no longer sufficient; OCR will want evidence that identified risks were actively treated, reduced, and monitored. Organizations that have been conducting the SRA as a documentation exercise without follow-through on remediation face significantly increased enforcement exposure.
The 2026 MIPS proposed rule introduces additional attestation requirements confirming clinicians conducted risk management activities under the HIPAA Security Rule, alongside mandatory use of the updated 2025 SAFER Guides for self-assessments.
This represents a regulatory tightening that requires practices to demonstrate not just analysis but active management of identified cybersecurity risks.
Healthcare-specific AI risks are emerging as a new SRA dimension. As practices adopt AI-driven clinical decision support, automated coding, and predictive analytics, the SRA must assess risks these systems introduce to ePHI confidentiality, integrity, and availability.
The AI risk assessment framework provides a structured approach to evaluating these emerging technology risks within the existing SRA methodology.
The organizations best positioned for 2026 and beyond are those that treat the SRA as a genuine risk management tool rather than a compliance artifact: conducting thorough analyses, remediating identified risks with documented evidence, monitoring control effectiveness through KRI dashboards, and integrating cybersecurity risk data into their enterprise risk reporting.
That approach satisfies MIPS, satisfies HIPAA, reduces actual breach risk, and positions the organization well for the expanding regulatory expectations ahead.
Protect your practice and your MIPS score with a rigorous security risk analysis. Visit riskpublishing.com for risk assessment frameworks, compliance checklists, and cybersecurity risk guides. Need hands-on support? Contact our consulting team for tailored SRA and HIPAA compliance services.
References
1. CMS – 2025 MIPS Promoting Interoperability Security Risk Analysis Measure Specification – Official measure requirements and attestation rules
2. HIPAA Journal – 2025 Healthcare Data Breach Report – 76% risk analysis enforcement focus; 21 penalties; $8.33M collected
3. IBM Security – Cost of a Data Breach Report 2025 – $7.42M average healthcare breach cost
4. HHS OCR – Guidance on Risk Analysis Requirements Under the HIPAA Security Rule – Official HHS guidance on conducting the SRA
5. HHS OCR – Security Risk Assessment Tool – Free SRA tool for small and medium healthcare practices
6. HIPAA Journal – Healthcare Data Breach Statistics – Enforcement trends, penalty structures, and breach data 2008–2025
7. MDinteractive – 2025 MIPS Promoting Interoperability Measures – PI measure requirements and SAFER Guides attestation
8. MRO Corp – 2026 CMS Quality Reporting Changes – Proposed 2026 SRA attestation expansion and SAFER Guide updates
9. NIST – SP 800-30 Guide for Conducting Risk Assessments – Federal risk assessment methodology applicable to healthcare
10. NIST – Cybersecurity Framework 2.0 – Risk management framework for healthcare cybersecurity
11. Syteca – HIPAA Violation Fines and Penalties 2025 – Penalty tiers, enforcement cases, and compliance guidance
12. Sprinto – Healthcare Data Breach Statistics 2025 – Per-record breach costs, enforcement data, and vendor risk analysis
13. HHS OCR – HIPAA Breach Report Portal – Official breach reporting database for incidents affecting 500+ individuals
14. Accountable HQ – How to Complete Your MIPS Security Risk Analysis – Step-by-step SRA checklist for healthcare practices
15. Comagine Health – Security Risk Analysis Guide – SRA requirements, timing, and HIPAA safeguards overview
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.