# HIPAA Security Risk Assessment (SRA) > Draft and validate the Security Risk Assessment required by the HIPAA Security Rule (45 CFR §164.308(a)(1)). Defines scope and ePHI boundaries, inventories assets and Business Associate relationships, maps threats and vulnerabilities, assesses Required and Addressable safeguards, and produces the SRA report and risk register aligned with HHS/OCR audit protocol. Tags: HIPAA, HITECH, Security, Risk Assessment, ePHI, Healthcare, Compliance, SRA, HHS/OCR, Business Associate, NIST ## Example Prompts - Conduct a HIPAA Security Risk Assessment for our EHR system and connected devices - Inventory ePHI assets, verify Business Associate Agreements, and map threats and vulnerabilities with risk ratings - Validate the SRA report covers all three safeguard categories, BA management, and has a complete risk register with owners and target dates URL: https://rakenne.app/skills/hipaa-security-risk-assessment/index.md Try this skill: https://rakenne.app/a/?skill=hipaa-security-risk-assessment ## Overview Draft and validate the Security Risk Assessment required by the HIPAA Security Rule (45 CFR §164.308(a)(1)). Maps ePHI assets to threats, vulnerabilities, and safeguards across administrative, physical, and technical categories. Produces the SRA report and risk register aligned with HHS/OCR audit protocol. ## Example Conversation > **You:** We need a HIPAA Security Risk Assessment for our EHR platform and patient portal. We have about 15 ePHI-touching systems. Can you draft the SRA and risk register, then validate it? > **Agent:** I'll inventory the ePHI assets you described, map threats and vulnerabilities per NIST SP 800-30, document administrative, physical, and technical safeguards in place, rate risk as likelihood × impact, and build the risk register with remediation owners and target dates. Then I'll run `sra_safeguard_coverage_check` on the draft. > **Agent:** Created `sra-report.md`. Running `sra_safeguard_coverage_check`... > **Agent:** Check **FAIL** — the document covers administrative and technical safeguards but the physical safeguard section is missing. Also, two ePHI references have no nearby threat/vulnerability pairing. I'll add the physical safeguard section (facility access, workstation security, device disposal) and pair the missing assets with threats. > **Agent:** Updated the report. Re-ran `sra_safeguard_coverage_check`: **PASS** — all three safeguard categories present, all ePHI assets paired with threats, likelihood and impact ratings present, remediation items have owners and target dates. ## What the Tools Validate The skill includes one extension tool: **`sra_safeguard_coverage_check`** scans the SRA document for four dimensions of completeness: - **Safeguard category coverage** — The document must reference all three HIPAA safeguard categories: administrative (§164.308), physical (§164.310), and technical (§164.312). - **ePHI asset–threat pairing** — Each ePHI asset reference must have a threat or vulnerability described nearby (within an 8-line window), ensuring no asset is left unanalyzed. - **Risk ratings** — The document must include both likelihood and impact rating references so every risk entry has a quantified risk level. - **Remediation completeness** — Remediation or action items must include an owner/responsible party and a target date to ensure accountability. **Output:** PASS if all four checks are satisfied; otherwise FAIL with per-section detail showing what is missing. Run on the draft after completing the risk register; fix gaps and re-run until the check passes. ## Output Excerpt Excerpt from a generated SRA report and sample validator output. **SRA report (excerpt):** ```markdown ## ePHI Inventory | Asset | System | Data flow | Threats | Vulnerabilities | |-------|--------|-----------|---------|-----------------| | Patient demographics | EHR (Epic) | ePHI created, received, maintained | Unauthorized access, ransomware | Unpatched OS, weak access controls | | Lab results | Lab portal | ePHI transmitted | Interception, data loss | Unencrypted transport | ## Administrative Safeguards (§164.308) - Security management process: Risk analysis (this document), risk management, sanction policy, IS activity review. - Workforce security: Authorization/supervision, clearance procedures, termination procedures. ## Physical Safeguards (§164.310) - Facility access controls: Badge access, visitor logs, contingency operations plan. - Workstation use/security: Screen lock policy, encrypted drives. ## Technical Safeguards (§164.312) - Access control: Unique user ID, emergency access, auto logoff, encryption. - Audit controls: System activity logs reviewed monthly. ## Risk Register | Risk ID | Asset | Threat | Likelihood | Impact | Risk Level | Remediation | Owner | Target Date | |---------|-------|--------|------------|--------|------------|-------------|-------|-------------| | R-001 | EHR | Ransomware | High | High | Critical | Deploy EDR, segment network | CISO | 2026-06-30 | ``` **sra_safeguard_coverage_check report (excerpt):** ``` === SRA SAFEGUARD COVERAGE CHECK === Result: PASS Document: sra-report.md --- Safeguard Category Coverage --- administrative (§164.308): FOUND physical (§164.310): FOUND technical (§164.312): FOUND --- ePHI Asset / Threat-Vulnerability Pairing --- ePHI references found: 4 All ePHI references have nearby threat/vulnerability context. --- Risk Ratings (Likelihood × Impact) --- Risk entries found: 6 Likelihood and impact references present. --- Remediation / Action Items --- Remediation references found: 6 Owner and target date references present. ``` ## Getting Started Add your source materials to the project workspace (network diagrams, system inventory, existing policies), then activate the *HIPAA Security Risk Assessment (SRA)* skill. The agent will guide you through ePHI inventory, threat analysis, safeguard assessment, risk determination, and running `sra_safeguard_coverage_check` to validate completeness before audit. --- Back to [Skill Library](https://rakenne.app/skills/index.md)