The HIPAA Security Rule requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI (45 CFR 164.308(a)(1)(ii)(A)). This risk analysis is a foundational and ongoing requirement — not a one-time exercise.
Regulatory Requirement
Under the Security Management Process standard (45 CFR 164.308(a)(1)), organisations must:
- Risk Analysis (Required) — Conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI
- Risk Management (Required) — Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
- Sanction Policy (Required) — Apply appropriate sanctions against workforce members who violate policies
- Information System Activity Review (Required) — Regularly review records of information system activity such as audit logs, access reports, and security incident tracking reports
Creating a Risk Analysis
To create a new risk analysis in Venvera:
- Navigate to HIPAA → Risk Analysis
- Click New Risk Analysis
- Provide a title (e.g., "Annual ePHI Risk Analysis 2026") and scope description
- Select the assessment date and review period
- The system will pre-populate assets from your PHI Inventory
Risk Analysis Elements
OCR guidance specifies the following elements for a compliant risk analysis:
| Element | Description |
|---|---|
| Scope | Identify all ePHI the organisation creates, receives, maintains, or transmits, including all systems and media |
| Data Collection | Gather data on where ePHI is stored, received, maintained, or transmitted |
| Threat Identification | Identify and document reasonably anticipated threats to ePHI (natural, human, environmental) |
| Vulnerability Identification | Identify and document vulnerabilities that could be exploited by identified threats |
| Current Controls | Assess and document current security measures in place |
| Likelihood | Determine the likelihood of each threat exploiting each vulnerability |
| Impact | Determine the potential impact if a threat were to exploit a vulnerability |
| Risk Level | Assign risk levels based on the combination of likelihood and impact |
| Risk Management Plan | Document remediation actions and residual risk acceptance |
Risk Scoring
Venvera uses a standard likelihood-impact matrix to calculate risk levels:
- Likelihood — Rare (1), Unlikely (2), Possible (3), Likely (4), Almost Certain (5)
- Impact — Negligible (1), Minor (2), Moderate (3), Major (4), Catastrophic (5)
- Risk Level — Calculated as Likelihood x Impact, categorised as Low (1-5), Medium (6-12), High (13-19), Critical (20-25)
Periodic Review
Risk analysis must be an ongoing process. OCR expects organisations to review and update their risk analysis:
- At least annually
- When new systems, technologies, or processes are introduced
- After a security incident or breach
- When significant changes occur in the organisation's environment
Venvera tracks the review cycle and will flag risk analyses that are overdue for reassessment.