Top 7 HIPAA Risk Assessment Mistakes Independent Practices Make
The seven recurring failures that turn a risk analysis into the most-cited finding in OCR enforcement. What each gap looks like, and the corrective standard for each.

Top 7 HIPAA Risk Assessment Mistakes Independent Practices Make
A risk analysis I reviewed for a 14-provider independent practice last quarter populated its threats column with exactly three entries — "ransomware," "insider error," and "natural disaster" — generated by the assessment vendor's template engine, signed by the practice owner during a 20-minute Zoom call, and filed in a folder labeled "Compliance 2024" that nobody had opened since. Let me explain why this is the single most common failure mode of HIPAA risk analysis in independent-practice infrastructure, and why it would not survive ten minutes of OCR scrutiny if the practice ever had to defend it. NIST SP 800-30 Rev. 1 — the publication HHS guidance points to as the methodological reference for HIPAA risk analysis — is a 95-page document specifying a four-step process of preparing for, conducting, communicating, and maintaining risk assessments, with a defined taxonomy of threat sources (adversarial, accidental, structural, environmental), threat events, vulnerabilities, predisposing conditions, likelihood determinations, impact determinations, and risk computation across the resulting matrix. A practice that produces three single-word threats has skipped roughly 92 of those 95 pages, and the absence is visible to any auditor who has actually read the document — there is no vulnerability pairing, no likelihood scoring against the seven-point qualitative scale 800-30 recommends, no impact analysis against confidentiality, integrity, and availability, no mapping to the 14 SaaS integrations sitting between the EHR and the billing clearinghouse that introduce 14 separate threat surfaces. The practice had been issued a "Compliance Certification" by the assessment vendor regardless. The seven failure patterns below are the ones I find most often when I open these documents, in the order I find them.
The HIPAA risk analysis is the foundational document of an entire compliance program. Required by 45 CFR §164.308(a)(1)(ii)(A), it determines what safeguards the practice must implement under the Security Rule's addressable-versus-required framework. It is also the single most-cited gap in OCR enforcement.
1. Skipping the risk analysis entirely
The most common mistake — and the most expensive. Without a documented risk analysis, OCR has no foundation to evaluate any other safeguard. The agency typically assumes the worst about every other control when the foundational document is missing.
The fix is procedural, not technical: schedule the analysis, scope it to actual ePHI flows, document the methodology, and produce a dated final report.
2. Treating the risk analysis as one-time
A risk analysis carrying a 2021 date on a 2026 audit is the artifact OCR investigators use to establish the practice failed the §164.308(a)(1)(ii)(A) "accurate and thorough" requirement — the regulation specifies the analysis must remain current against the practice's actual environment, and HHS guidance interpreting that requirement expects annual review at minimum plus event-driven updates whenever a material operational change happens, including new SaaS integrations brought online, new BAAs executed with new vendor categories, new locations added, new threat intelligence reaching the sector, new regulatory interpretations from OCR resolution agreements, and personnel changes that alter who has administrative access to PHI systems. The reason the cadence matters is that risk-analysis staleness is the failure mode the HHS Office for Civil Rights Resolution Agreement archive cites most frequently — Anthem in 2018, Premera Blue Cross in 2020, Excellus in 2021, Lifespan in 2020, the Banner Health resolution, and a long tail of smaller practice settlements where the practice produced a risk analysis but the analysis predated the breach systems by years.
The corrective standard: annual review of the analysis itself, with documentation of the review and any updates triggered.
3. Scoping the analysis to the EHR only
The EHR is the most visible PHI system in the practice, and the scope of an independent-practice risk analysis routinely stops there because the EHR is the system the practice manager understands and the system the compliance vendor's template knows how to ask about — but the actual ePHI footprint of a modern small practice extends across email systems holding clinical attachments in IMAP folders that get backed up offsite, scheduling platforms passing patient names and procedure codes through third-party SMS reminder services, billing software syncing to clearinghouses through SFTP transfers that may or may not be over an encrypted control channel, backup volumes containing every PHI table in plaintext until the moment the tape encryption kicks in, telehealth tools recording sessions into cloud storage governed by a separate BAA, secure messaging apps holding clinical conversations the EHR never sees, and file-sharing services hosting the spreadsheets and PDFs staff actually do their daily work in. A risk analysis scoped only to the EHR routinely misses 70 to 80 percent of the real ePHI footprint, and the OCR investigator after a breach will reconstruct the missing 80 percent through forensics whether the risk analysis named it or not. In one practice I mapped during a pre-acquisition due diligence engagement, the EHR was scoped, audited, encrypted with TDE, locked down behind MFA, and exactly the system the consultant had pointed at when the practice manager asked where the compliance program lived — while a front-desk Google Sheet titled "Today's Schedule" held patient name, date of birth, procedure code, insurance carrier, and notes about why each patient was coming in, with eighteen months of historical sheets sitting in a shared drive accessible to twelve workforce members and shared once with the practice owner's personal Gmail to print from home on a snow day, never named in the risk analysis at all and never inventoried under any policy. The sheet was where the actual exposure lived even though the EHR was the system everybody was watching.
The corrective standard: full ePHI data flow mapping before the risk analysis begins. Patient Protect's free ePHI Data Flow Mapper is one entry point. The OCR-recommended approach is to inventory every system, every integration, every vendor that touches PHI.
4. Copying a generic template without scoping to the practice
Risk analysis templates produced by industry associations or vendor toolkits are starting points, not finished products. A template that hasn't been adapted to the practice's actual systems, workforce composition, and specialty risk profile fails OCR scrutiny because the language is generic — it could apply to any practice.
The corrective standard: risk analysis content that names specific systems, specific vendors, specific workforce roles, and specific risk scenarios applicable to the practice.
5. Failing to document threats and vulnerabilities separately
HIPAA's risk analysis requires identification of both threats (the bad actor or event) and vulnerabilities (the weakness the threat exploits) — and the likelihood and impact of each combination. Many practices conflate the two, or document only one, producing a list that doesn't actually support the risk-management decisions that should follow.
The corrective standard follows the NIST SP 800-30 framework or equivalent: threats inventoried, vulnerabilities mapped, likelihood scored, impact scored, risk rating computed, prioritization documented.
6. Skipping the risk-management step that should follow the analysis
The risk analysis under §164.308(a)(1)(ii)(A) and the risk management implementation specification under §164.308(a)(1)(ii)(B) are paired requirements drafted as two halves of a single regulatory loop — the analysis identifies the threats, vulnerabilities, likelihoods, and impacts; the management step implements security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level — and the practice that produces the first half without the second has produced an artifact of compliance theater rather than a functioning compliance program. OCR investigators following a breach will request both the risk analysis and the documented remediation actions the practice took in response to it, and the question they ask in roughly that phrasing is "what did you do about the risks the analysis identified," with follow-up questions tied to specific findings the analysis surfaced and dates by which those findings were addressed or accepted under documented risk-acceptance procedures.
The corrective standard: every identified risk above the practice's risk threshold has a corresponding mitigation, documented, dated, with named accountability.
7. Treating the HHS SRA Tool as sufficient
The free HHS Security Risk Assessment Tool is a useful structured questionnaire for surfacing the categories of consideration the Security Rule expects a practice to think about, and HHS distributes it specifically because small practices needed a free scaffolding tool to begin the risk-analysis exercise — but the tool itself does not produce the risk ratings, the likelihood and impact analysis against the practice's actual systems, the prioritized remediation list, or the methodology documentation that §164.308(a)(1)(ii)(A) requires the final analysis to contain. The output is an inventory of areas where the practice should have considered risk, with the practice's own answers populated in; the analysis that satisfies the regulation is the document that takes those inputs, applies a NIST SP 800-30 or equivalent methodology to compute risk, and produces the prioritized written report a regulator can read. The full breakdown of where the tool's coverage ends and the regulatory expectation continues lives at the HHS SRA tool isn't enough.
The corrective standard: use the SRA Tool as scaffolding for the assessment work, but produce a final risk-analysis document with methodology, findings, ratings, and corresponding mitigations.
What "audit-defensible risk analysis" looks like
The risk analysis OCR expects to see has six properties:
- Dated — within the last 12 months, with prior versions retained.
- Scoped — to the practice's full ePHI footprint, not just the EHR.
- Methodologically documented — references NIST SP 800-30 or equivalent.
- Threat-and-vulnerability separated — with likelihood and impact ratings.
- Linked to mitigations — every above-threshold risk has a documented response.
- Reviewable — produced as a written report, not buried in a tool's dashboard.
A risk analysis carrying these six properties does the work the regulation intended it to do, which is driving the entire downstream safeguard program of the practice off a single authoritative document that can be handed to an auditor, an insurer, a banker during a credit review, or an acquiring entity during due diligence and read as a coherent description of where the practice's PHI lives, what threatens it, and what the practice has implemented in response.
Where Patient Protect fits
The accuracy of a risk analysis decays the moment it ships because the inputs underneath it — the inventory of SaaS integrations, the count of endpoints under encryption enforcement, the list of vendors holding executed BAAs, the workforce composition with named privileged access — all keep moving while the document on the shelf sits still, so I built Patient Protect's monitoring layer to keep those inputs current against the analysis between the annual reviews. The platform observes the OAuth consent grants logged on the practice's Google Workspace or Microsoft 365 tenant to catch the day a new SaaS first receives a PHI-bearing scope, runs continuous endpoint configuration telemetry to flag the laptop that was enrolled in MDM yesterday but never had FileVault enforced or the workstation that dropped off MDM enrollment three weeks ago, ingests the practice's vulnerability scanner output and matches each CVE against the systems already named in the analysis so a critical SMB vulnerability on the imaging server surfaces against the same control framework rather than living in a separate scanner dashboard, and surfaces BAA renewal dates 90 days before the executed agreement lapses. The annual document still gets written by humans who own the methodology. The inputs that document is built from stop being stale 60 days after the report ships. Plans start at $39/month.
Patient Protect tracks risk-analysis inputs continuously — vendor BAAs, device encryption, audit-log access, training completion — and surfaces gaps before they become enforcement findings. Plans start at $39/month with a 14-day free trial.

