HIPAA
Security

Security Risk Analysis (SRA) Report Template

Completed Security Risk Analysis artifact required by 45 CFR §164.308(a)(1)(ii)(A) — the most frequently cited deficiency in OCR HIPAA investigations.

What This Policy Covers

Executive Summary-Overall risk posture, count of risks by severity, and top-5 prioritized remediations.
Scope and Methodology-ePHI systems in scope, assessors, methodology (NIST SP 800-30 + HHS SRA Tool), likelihood/impact scales.
ePHI Inventory and Data Flows-Table: System | ePHI Data Types | Storage Location | Transmission Paths | Users | BA Involvement.
Threat Sources and Vulnerabilities-Threat-source catalog (adversarial, accidental, structural, environmental) paired with identified vulnerabilities, organized by Administrative / Physical / Technical safeguard category.
Risk Analysis-Table per threat-vulnerability pair: Likelihood | Impact | Existing Controls | Residual Risk | Risk Score.
Risk Determination Matrix-Ranked list of all risks from Very High to Very Low with scoring rationale.
Remediation Plan-Table: Risk ID | Recommended Safeguard | Owner | Target Date | Re-assessment Trigger.
Review and Update Schedule-Ongoing risk analysis cadence and triggers per §164.308(a)(1)(ii)(B) (required continuous risk management).
Approvals-Sign-off by Security Officer, Privacy Officer, and Executive Leadership.

Required Sections

A compliant Security Risk Analysis (SRA) Report for HIPAA must include the following9 sections. Each section addresses a specific control requirement that auditors will review.

1

Executive Summary

Overall risk posture, count of risks by severity, and top-5 prioritized remediations.

2

Scope and Methodology

ePHI systems in scope, assessors, methodology (NIST SP 800-30 + HHS SRA Tool), likelihood/impact scales.

3

ePHI Inventory and Data Flows

Table: System | ePHI Data Types | Storage Location | Transmission Paths | Users | BA Involvement.

4

Threat Sources and Vulnerabilities

Threat-source catalog (adversarial, accidental, structural, environmental) paired with identified vulnerabilities, organized by Administrative / Physical / Technical safeguard category.

5

Risk Analysis

Table per threat-vulnerability pair: Likelihood | Impact | Existing Controls | Residual Risk | Risk Score.

6

Risk Determination Matrix

Ranked list of all risks from Very High to Very Low with scoring rationale.

7

Remediation Plan

Table: Risk ID | Recommended Safeguard | Owner | Target Date | Re-assessment Trigger.

8

Review and Update Schedule

Ongoing risk analysis cadence and triggers per §164.308(a)(1)(ii)(B) (required continuous risk management).

9

Approvals

Sign-off by Security Officer, Privacy Officer, and Executive Leadership.

Generate a Customized Version

This template shows the required structure. PoliWriter generates a fully customized Security Risk Analysis (SRA) Report that references your actual cloud providers, identity systems, tools, and team practices — ready for auditor review.

Generate Customized Security Risk Analysis (SRA) Report

Policy Details

Framework
HIPAA
Category

Security

Sections

9 total (9 required)

Generate with AI
Back to all templates