HIPAA SA-1.1: Conducting Accurate Risk Analysis for ePHI
Risk analysis is the foundation of HIPAA compliance. SA-1.1 requires covered entities and business associates to systematically identify threats to electronic protected health information. Without a documented, thorough assessment, you're flying blind—and audit findings will follow.
What this means
This control mandates that your organization conduct a comprehensive risk assessment covering all systems, processes, and locations where ePHI is stored, transmitted, or processed. The assessment must evaluate potential risks and vulnerabilities that could compromise the confidentiality, integrity, and availability of ePHI. This is not a one-time checkbox; it's an ongoing process that must be repeated periodically and whenever significant system changes occur.
How to comply
- 1.Identify all assets and systems that store, process, or transmit ePHI across your organization
- 2.Document data flows, including where ePHI originates, how it moves, and where it's stored
- 3.Assess potential threats (internal, external, accidental, intentional) to each asset and process
- 4.Evaluate existing safeguards and controls already in place
- 5.Determine the likelihood and impact of each identified vulnerability
- 6.Prioritize risks based on severity and business impact
- 7.Document all findings in a formal risk assessment report with remediation recommendations
- 8.Establish a schedule for periodic reassessment (typically annually or after major system changes)
- 9.Maintain evidence of risk analysis activities and board/management sign-off
Evidence auditors look for
- Documented risk assessment report with scope, methodology, and findings
- Asset inventory listing all systems and locations handling ePHI
- Data flow diagrams showing ePHI movement across the organization
- Threat and vulnerability matrices with likelihood and impact ratings
- Risk scoring/prioritization worksheet
- Remediation action plan with assigned owners and due dates
- Evidence of management review and approval of risk assessment
- Documentation of periodic reassessment dates and any updates to findings
- Spreadsheet or tool output tracking vulnerabilities and mitigation status
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates HIPAA risk analysis by providing a guided assessment framework, auto-generating data flow diagrams from your system inventory, and consolidating findings into a HIPAA-ready report—eliminating months of spreadsheet work.
See how GRCWatch handles this control automatically
Start free trial