Operator-informed risk analysis for healthcare organizations and clinical labs. The §164.308(a)(1)(ii)(A) artifact your auditor actually wants — grounded in real attacker TTPs, not generic templates.
A HIPAA Security Risk Analysis is the foundational risk-management artifact required by §164.308(a)(1)(ii)(A) of the HIPAA Security Rule. Every covered entity and business associate is required to conduct one and keep it current. It documents threats, vulnerabilities, likelihood, impact, current safeguards, and the resulting risk management plan for protected health information.
It is not a penetration test (that's the §164.308(a)(8) evaluation activity). It is not a HIPAA gap assessment (a checklist of controls present or absent). And the output of the HHS Free SRA Tool, on its own, is rarely sufficient as a defensible artifact — it produces a worksheet, not a written risk analysis with organizational context.
The SRAs we deliver at Brickell are different from the genre in one specific way: every threat in the threat catalog is grounded in actual adversary TTPs we observe in offensive engagements. When a Brickell SRA says "exploitation of an unpatched VPN appliance is a high-likelihood threat to ePHI confidentiality," that's a calibrated assessment from someone who has done it — not boilerplate from a template library.
An OCR investigator or HIPAA auditor flagging an SRA isn't usually about missing a control. It's about the document itself being indefensible: generic templates with no organizational context, a "threat catalog" of abstract categories that never connects to your environment, likelihood ratings that read as guesses, and no traceable link from identified risks to the remediation work that supposedly addressed them.
The other common failure: SRAs that were complete on day one and never updated. Cloud migration shipped six months ago; SRA still describes the on-prem footprint. New EHR went live; SRA still references the old one. The Security Rule requires the analysis to be accurate and thorough against current operations — stale documents fail.
Threats aren't pulled from a generic library — they're calibrated against current adversary TTPs targeting healthcare. Likelihood ratings reflect what attackers actually do, not what a template says might happen.
Every identified risk and corresponding safeguard is mapped directly to §164.308 Administrative, §164.310 Physical, and §164.312 Technical sub-sections — the structure auditors and OCR investigators expect.
Risk register with traceable links from threat → vulnerability → current safeguard → residual risk → treatment plan owner. The audit-defensible chain auditors expect to walk through.
Built as a living document, not a one-and-done PDF. Structured so updates after a system change are scoped work, not a redo. Optional retainer covers annual refresh and out-of-cycle updates after major events.
When bundled with a HIPAA pentest, the pentest's confirmed exploitable findings flow directly into the SRA's vulnerability catalog with documented proof. Stronger artifact, more efficient delivery.
Real interviews with IT, compliance, clinical leadership, and front-line staff — not just documentation review. The risks that hurt healthcare orgs at audit time are usually the ones nobody put on paper.
Different artifacts, different requirements, both required for most healthcare orgs.
| Dimension | HIPAA SRA | HIPAA Pentest |
|---|---|---|
| HIPAA citation | §164.308(a)(1)(ii)(A) | §164.308(a)(8) |
| Output | Written risk analysis document | Technical findings report + retest attestation |
| Approach | Threat modeling, control review, risk rating | Active manual exploitation |
| Scope | Administrative + Physical + Technical safeguards | Technical safeguards primarily; Physical only if on-site testing |
| Frequency | Annually + after major changes | Annually + after major changes |
| Audience | Compliance officer, board, OCR auditor | IT/security team, auditor, insurance carrier |
| Required by HIPAA? | Yes — for every covered entity / BA | Strongly recommended; required by many auditors and insurers |
The deliverable set built for the people who actually have to read it — and defend it.
The core SRA artifact: enumerated risks to ePHI confidentiality, integrity, and availability with likelihood, impact, current safeguards, residual risk rating, and risk treatment owner.
Calibrated against current adversary TTPs targeting healthcare — ransomware, supply chain compromise, EHR-targeted phishing, BA breaches, insider misuse. Not a generic list.
Documentation of currently-implemented Administrative, Physical, and Technical safeguards mapped to specific Security Rule sub-sections. Identifies coverage gaps directly.
Treatment decisions for every identified risk — mitigate, transfer, accept — with owners, timelines, and the residual risk after treatment. The audit-defensible "what we're doing about it" artifact.
Board- and auditor-ready summary covering posture, top risks, treatment progress, and changes since the prior analysis. The artifact handed to leadership and external reviewers.
Documented update cadence: annual full refresh, plus triggers for out-of-cycle updates (system changes, M&A, incidents). The "we'll keep this current" answer auditors want.
Typical SRA-only engagement runs 3 to 5 weeks. Bundled with a pentest, expect 5 to 7 weeks end-to-end.
30 minutes, no commitment. We map the scope of your covered entity / BA operations, identify the systems handling ePHI, and align on whether SRA-only or bundled-with-pentest is the right delivery.
Business Associate Agreement signed. Scope, timeline, stakeholder list, and pricing locked before discovery starts.
Documentation review (existing policies, prior SRAs, incident reports, network diagrams) plus structured interviews with IT, compliance, clinical leadership, and operational staff. The risks that hurt at audit time are the ones never put on paper.
Threat catalog calibrated to your environment and the current healthcare adversary landscape. Vulnerability identification across §164.308 / §164.310 / §164.312. Likelihood and impact rated using a defensible scoring methodology.
Risk register populated, safeguards inventory documented, risk management plan drafted with you, executive summary written. Walked through with your team in a debrief call — not just delivered as a PDF.
Ongoing retainer covers annual full refresh plus out-of-cycle updates after material changes. Most healthcare orgs find this is the cheapest way to stay audit-ready.
Built for HIPAA pentests, but the data inventory and asset inventory sections apply to SRA scoping too. 10 pages, free.
Standalone HIPAA SRAs run $5,000 to $15,000, scoped to organizational complexity and the number of operational sites and systems handling ePHI.
Bundled with a HIPAA penetration test, the combined engagement runs $12,000 to $35,000 — a more defensible artifact set, more efficient delivery, and one set of stakeholder interviews instead of two.
The free scoping call locks in scope and price before any commitment.
They satisfy different sections of the HIPAA Security Rule. The SRA satisfies §164.308(a)(1)(ii)(A) — the foundational risk analysis required of every covered entity and business associate. The penetration test satisfies §164.308(a)(8) — the periodic technical evaluation. Most healthcare organizations need both. The pentest validates technical controls; the SRA frames the entire risk picture including administrative and physical safeguards.
It can be a starting point but is not a complete artifact for most organizations. Auditors and OCR investigators frequently flag SRAs that are HHS-tool outputs without organizational context, threat-relevance analysis, or risk-treatment documentation. The tool produces a worksheet; what's required is a defensible written risk analysis with threats, vulnerabilities, likelihood, impact, current safeguards, and a risk management plan.
Annually at minimum, and after any significant change to systems handling ePHI — new EHR, cloud migration, M&A, major workflow change, or following any incident or near-miss. The Security Rule requires the analysis to be "accurate and thorough" to current operations, which means stale documents fail audit.
Yes. Our deliverables are structured to map directly to §164.308(a)(1) requirements: documented threat catalog, vulnerability identification, likelihood and impact analysis, current safeguards inventory, residual risk rating, and a risk management plan with owners and timelines. The artifact is written to be handed directly to an OCR investigator without translation.
Yes. We deliver SRAs both standalone and bundled with a HIPAA penetration test. Bundled engagements are more efficient and produce a stronger artifact — pentest findings feed directly into the SRA's vulnerability catalog with proven exploitability — but standalone SRAs are available when that's all the organization needs.
Yes. A BAA is signed before any engagement begins, including SRA-only engagements where ePHI may be discussed in interviews or documented in the risk register.
Free 30-minute scoping call. We'll map your scope, recommend SRA-only or bundled-with-pentest, and tell you exactly what an engagement would cost.