HIPAA Security Rule Update Get ahead of the rule.

    Loading...

    HIPAA Security Risk Assessment: Why a Questionnaire Isn't a Risk Analysis

    > TL;DR: A HIPAA risk analysis is required under 45 CFR 164.308(a)(1)(ii)(A) — not addressable, required. Filling out a questionnaire is not the same thing. OCR expects an accurate, thorough assessment of the real threats and vulnerabilities to your ePHI, the measures that reduce them (45 CFR 164.308(a)(1)(ii)(B)), and proof you implemented them. A self-attestation form records what you believe; a technical scan shows what's actually exposed. This is the difference between a document and a defense — and it's why risk analysis is the single most-cited deficiency in OCR enforcement.

    Walk into most small practices and ask for the risk assessment. You'll get a PDF. Someone sat down once, answered a list of yes/no questions, checked the boxes, and filed it.

    That file feels like proof. In an OCR investigation, it's often the opposite.

    The honest version is this: a questionnaire is not a risk analysis. A questionnaire records what someone thought was true on the day they filled it out. A risk analysis identifies what is actually putting your ePHI at risk — and that is the thing the regulation requires.

    What the rule actually requires

    The Security Rule is unusually direct here. Risk analysis is a required implementation specification — not addressable, not "do it if it's reasonable." Required.

    Read those two together and you can see the whole obligation. First you find the risks accurately and thoroughly. Then you reduce them. One without the other doesn't satisfy anything. A finding you never fixed is just a documented failure waiting to be read aloud.

    OCR has repeatedly named the failure to conduct an accurate and thorough risk analysis as one of the most common findings in its enforcement actions (Source: HHS OCR resolution agreements and enforcement actions). Many of those cases didn't start with a dramatic breach. They started with an organization that simply couldn't produce a real one.

    The questionnaire trap

    Here's where well-meaning practices go wrong. They treat the risk assessment as a form to complete, not a process to run.

    A real risk analysis is a loop: assess, map the corrective actions, implement them, document the remediation. And it's triggered by change — a new system, a new location, a leadership change, a new vendor — not by a date on the calendar that says "it's been a year."

    A questionnaire skips the part that matters. It asks "do you encrypt ePHI?" and accepts "yes." It never checks. The day a practice answers "yes" to a question whose real answer is "we bought the tool but never turned it on" is the day the document starts working against them.

    I've watched this exact gap surface. An organization's paperwork said they had a current risk assessment, encryption, real policies, training. The reality was a five-year-old form, an encryption checkbox nobody had enabled, and templated policies sitting unused. The gap between what the paperwork claimed and what was operationally true was invisible — right up until the moment it was exposed. That moment is also the moment it gets expensive.

    What a technical scan changes

    This is the difference most "SRA tools" don't tell you about.

    A questionnaire produces a list of what you believe about your environment. A technical scan produces a list of what is actually exposed — the unpatched system, the open port, the device nobody knew was still connected, the misconfiguration the form would never have caught.

    "Accurate and thorough" is the standard the regulation sets. You cannot be accurate about a risk you never looked for. The scan is how you look. The remediation is how you satisfy the second half — actually reducing the risk, not just naming it. And documenting both is how you prove it when someone asks.

    The evidence gap

    Here is the question worth sitting with. If OCR asked today — show me your current risk analysis, show me the vulnerabilities it found, and show me what you did about each one — could you?

    For most practices holding a questionnaire, the honest answer is no. Not because they didn't care. Because the form they were handed was never built to find a vulnerability, let alone prove it was fixed.

    That is the gap. And it's the foundation gap — because almost everything else in your compliance program is supposed to be justified by the risk analysis. Your "addressable" decisions, your security spending, your priorities. Without a real risk analysis underneath, none of it is defensible.

    How Live Compliance closes it

    Live Compliance builds the risk assessment as the process the rule describes, not a form. It includes the technical scan that finds what's actually exposed, the remediation guidance to reduce it, and the documentation of the whole loop — assess, fix, prove. It's triggered by change, with review dates so it doesn't quietly go stale the way a once-a-year PDF does. And it lives in the same platform as your policies, training, and audit trail, so the evidence is in one place when someone asks.

    We've spent 15 years doing exactly this across 500+ organizations, with a 100% audit success rate — most often by closing the distance between what an organization's paperwork claimed and what was actually true. Start with the complete guide to HIPAA risk assessments for the full methodology, or talk to us about turning your questionnaire into a risk analysis that holds up.

    > Accuracy & legal note. This article is a plain-language summary of HIPAA requirements as of June 2026, based on the HIPAA Security Rule (45 CFR Part 164) and HHS guidance current as of that date. Regulations, OCR guidance, and enforcement priorities change. This is general educational information, not legal advice — verify current requirements at hhs.gov/hipaa or with your compliance counsel before acting. Platform capabilities described reflect Live Compliance as of the publish date. Last updated: June 2026.