Every year, clinics face the same scenario: technology and security vendors urging you to spend thousands on a HIPAA Security Risk Assessment (SRA). Vendors use the SRA in pitches that often rely on Fear, Uncertainty, and Doubt (FUD) to upsell additional products and services.
Here’s the reality: the annual HIPAA SRA is required, but it’s almost worthless. Worse, the real threats your clinic faces may not even be addressed by the SRA.
The SRA: Required but almost worthless
The HIPAA Security Risk Assessment is a compliance necessity. Failure to complete it can:
- Disqualify you from MIPS incentives
- Expose you to fines, sanctions, and potential lawsuits
- Damage your reputation in the event of a breach
The SRA is just the first step, but it is nowhere near sufficient. It may help identify some risks to the practice, but it does very little to inform HOW to mitigate those risks. Therefore vendors often oversell its importance or overcomplicate the process, and/or use HIPAA as a stick to convince you to buy expensive products and services that may not be necessary.
Vendor Claims
- Their product or service is required by HIPAA
- Their product or service is HIPAA “certified”
- Their product or service will help you “pass” your SRA
The fact is, the only way to actually fail your SRA is to not complete it in the first place. And there is no such thing as a security product being “HIPAA-Certified”.
HIPAA’s actual terms around protecting ePHI (electronic patient health information) are notoriously vague, leaving covered entities with more questions than answers. The Security Rule mandates that practices must safeguard ePHI against theft, loss, destruction, and improper access, whether accidental or intentional, and from both internal and external sources.
However, it doesn’t prescribe specific methods or technologies to achieve these protections. This lack of clarity can lead to confusion, over-interpretation, or, worse, a reliance on vendor-driven solutions that promise compliance without addressing real risks. The result is that many practices focus on checking the compliance box and buying expensive products and services rather than implementing practical, effective safeguards tailored to their unique vulnerabilities.
As further evidence of the HIPAA SRA’s uselessness in actually preventing a breach, pretty much every practice who appears on HHS’ HIPAA “Wall of Shame” had actually completed their SRAs – some of them every year prior to a breach.
The Real Risk Factor: Internal Staff
While there is a big focus on expensive technology tools and services, they often fail to address the largest risk: internal staff, and they don’t always come from malicious intent. According to the FBI, insider threats are the leading cause of security breaches over 95% of the time in healthcare. These include:
- Negligence: Employees accidentally sharing sensitive information or misconfiguring systems
- Untrained staff: Falling for phishing emails or improper handling of ePHI
- Snooping: Employees accessing a medical record with no business or clinical justification
- Malicious insiders: Disgruntled employees intentionally exposing or stealing sensitive data
Even the best technology team and the most advanced security tools can’t fully protect against insider risks without proactive measures and education.
Why Clinics Feel Trapped
Clinics often overspend on SRAs or security solutions due to:
- Vendor pressure: Using fear of fines or breaches to upsell unnecessary services
- Misplaced focus: Investing heavily in external defenses while neglecting internal risks
- Lack of education: Assuming technology alone can solve all compliance and security challenges
Take Ownership of Your Security
The SRA is a compliance requirement, but its true value depends on how your clinic uses it. By focusing on education, internal vigilance, and practical solutions, you can strengthen your practice without falling for vendor hype.
HIPAA Security is not an IT issue. So it should not be solely delegated to IT staff or outside vendors. It is also not a once-a-year issue like the SRA. It is a practice-wide issue, requiring the ongoing focus and attention from all departments and staff at all levels.
The 4 P’s of an Effective Security Program
- Policies – what you are going to do
- Processes – how you are going to implement them
- People – education, training and awareness – ongoing
- Products – the proper tools to automate the other 3 P’s wherever and whenever possible
The Bottom Line: Security Starts Beyond the SRA
At the end of the day, the HIPAA SRA is required – but let’s face it, it’s almost worthless on its own. It’s a compliance checkbox that won’t protect your clinic from real-world threats, especially the ones that matter most, like internal risks from untrained or negligent staff. Vendors love to oversell the SRA’s importance, but the truth is, it’s just a starting point – and you should not fall for the vendor’s upselling tactics.
The real work happens when you focus on what actually keeps your practice secure: clear policies, repeatable processes, ongoing staff training, and tools that make those things easier and more automated. Security isn’t just an IT issue – it’s a practice-wide responsibility. So, don’t stop at the SRA. Take ownership, focus on what really matters, and build a security program that works for your clinic, not for the vendors.
