Every year, clinics face the same scenario: technology and security vendors urging you to spend thousands on a HIPAA Security Risk Assessment (SRA). Vendors use the SRA in pitches that often rely on Fear, Uncertainty, and Doubt (FUD) to upsell additional products and services. Here’s the reality: the annual HIPAA SRA is required, but it’s almost worthless. Worse, the real threats your clinic faces may not even be addressed by the SRA.  The SRA: Required but almost worthless The HIPAA Security Risk Assessment is a compliance necessity. Failure to complete it can: The SRA is just the first step, but it is nowhere near sufficient. It may help identify some risks to the practice, but it does very little to inform HOW to mitigate those risks. Therefore vendors often oversell its importance or overcomplicate the process, and/or use HIPAA as a stick to convince you to buy expensive products and services that may not be necessary. Vendor Claims The fact is, the only way to actually fail your SRA is to not complete it in the first place. And there is no such thing as a security product being “HIPAA-Certified”.  HIPAA’s actual terms around protecting ePHI (electronic patient health information) are notoriously vague, leaving covered entities with more questions than answers. The Security Rule mandates that practices must safeguard ePHI against theft, loss, destruction, and improper access, whether accidental or intentional, and from both internal and external sources. However, it doesn’t prescribe specific methods or technologies to achieve these protections. This lack of clarity can lead to confusion, over-interpretation, or, worse, a reliance on vendor-driven solutions that promise compliance without addressing real risks. The result is that many practices focus on checking the compliance box and buying expensive products and services rather than implementing practical, effective safeguards tailored to their unique vulnerabilities. As further evidence of the HIPAA SRA’s uselessness in actually preventing a breach, pretty much every practice who appears on HHS’ HIPAA “Wall of Shame” had actually completed their SRAs – some of them every year prior to a breach.  The Real Risk Factor: Internal Staff While there is a big focus on expensive technology tools and services, they often fail to address the largest risk: internal staff, and they don’t always come from malicious intent. According to the FBI, insider threats are the leading cause of security breaches over 95% of the time in healthcare. These include: Even the best technology team and the most advanced security tools can’t fully protect against insider risks without proactive measures and education. Why Clinics Feel Trapped Clinics often overspend on SRAs or security solutions due to: Take Ownership of Your Security The SRA is a compliance requirement, but its true value depends on how your clinic uses it. By focusing on education, internal vigilance, and practical solutions, you can strengthen your practice without falling for vendor hype. HIPAA Security is not an IT issue. So it should not be solely delegated to IT staff or outside vendors. It is also not a once-a-year issue like the SRA. It is a practice-wide issue, requiring the ongoing focus and attention from all departments and staff at all levels.   The 4 P’s of an Effective Security Program The Bottom Line: Security Starts Beyond the SRA At the end of the day, the HIPAA SRA is required – but let’s face it, it’s almost worthless on its own. It’s a compliance checkbox that won’t protect your clinic from real-world threats, especially the ones that matter most, like internal risks from untrained or negligent staff. Vendors love to oversell the SRA’s importance, but the truth is, it’s just a starting point – and you should not fall for the vendor’s upselling tactics.  The real work happens when you focus on what actually keeps your practice secure: clear policies, repeatable processes, ongoing staff training, and tools that make those things easier and more automated. Security isn’t just an IT issue – it’s a practice-wide responsibility. So, don’t stop at the SRA. Take ownership, focus on what really matters, and build a security program that works for your clinic, not for the vendors.