HIPAA Security Risk Assessment: What It Is, What It Costs, and What to Expect

What is a HIPAA Security Risk Assessment?

A HIPAA Security Risk Assessment (SRA) is a formal, documented evaluation of how your practice collects, stores, transmits, and protects electronic Protected Health Information (ePHI). It's required under 45 CFR § 164.308(a)(1) — the HIPAA Security Rule's administrative safeguard provisions.

In plain English: the law requires you to find every place patient data lives in your practice, identify what could go wrong with it, and document what you're doing about it.

Who is required to complete one?

Every HIPAA covered entity is required to complete a Security Risk Assessment. This includes:

• Dental offices of any size, including solo practitioners
• Therapy and counseling practices, including telehealth providers
• Medical clinics and physician offices
• Physical therapy and chiropractic practices
• Any provider who electronically transmits health information

There is no small practice exemption. A solo dentist has the same risk assessment obligation as a 500-person medical group.

What does an assessment actually cover?

A proper HIPAA Security Risk Assessment reviews three categories of safeguards:

Administrative safeguards

Your policies, procedures, and workforce training. This includes whether you have a written security policy, how you handle employee access when someone leaves, whether you've completed staff security training, and whether you have a documented incident response procedure.

Physical safeguards

Physical access to systems and patient data. This covers workstation security, locked server rooms or storage, visitor access policies, and device disposal procedures — what happens to a hard drive when you retire a computer.

Technical safeguards

The security controls on your systems themselves. This includes access controls and unique user IDs, automatic logoff, encryption of data at rest and in transit, audit logs, and backup and recovery systems.

How often do you need to do it?

HIPAA requires a risk assessment to be conducted at least annually, and any time there's a significant change to your environment — including a new EHR system, new office location, new devices, or major changes to your workforce.

What does a HIPAA Risk Assessment cost?

Costs vary significantly depending on who conducts it and the size of your practice. Large consulting firms typically charge $10,000–$30,000 for enterprise-level assessments. For small practices, specialized firms like Kemeski Systems offer fixed-price assessments designed for practices without in-house IT teams at a fraction of that cost.

The real cost comparison is against a HIPAA violation: fines for missing or inadequate risk assessments start at $100 per violation and can reach $50,000 per violation for willful neglect — plus mandatory corrective action plans and annual audits that follow.

What should you expect from the process?

A professional HIPAA risk assessment for a small practice typically takes 1–2 weeks from kickoff to final report. The process involves minimal disruption to your front desk — most of the work happens remotely. You should expect a kickoff interview, a review of your systems and policies, and a written report that includes the risk analysis document itself plus a prioritized remediation plan.

The report should be written in plain English. If you receive a document you can't understand without a security degree, ask for a plain-language summary — any firm worth working with will provide one.