HIPAA Risk Assessments for Therapists:
What Actually Counts (and What Doesn’t)

Quick Note: Throughout this article, I use the term Security Risk Analysis (SRA) because that is the terminology used within the HIPAA Security Rule. You may also hear the process called a Security Risk Assessment or HIPAA risk assessment. While these terms are often used interchangeably, the HIPAA requirement is a Security Risk Analysis.

Therapists spend a great deal of time thinking about confidentiality. Protecting client information is woven throughout clinical work and shows up in informed consent discussions, documentation decisions, communication practices, supervision, telehealth, and countless small decisions that happen throughout the day. What tends to receive far less attention are the operational requirements that support those responsibilities behind the scenes.

One of the most significant examples is the Security Risk Analysis, often referred to as an SRA. In conversations with therapists, I find that the term is often unfamiliar. Some providers are encountering it for the first time. Others have heard it mentioned but are not entirely sure what it involves, whether it applies to their practice, or how it differs from the many other HIPAA-related requirements they have encountered.

That uncertainty makes sense because Security Risk Analyses are rarely discussed in the same way as privacy notices, Business Associate Agreements, telehealth platforms, or documentation requirements, even though they sit underneath many of those compliance activities. Under the HIPAA Security Rule’s Risk Analysis Standard, covered entities and business associates are required to conduct an accurate and thorough assessment of potential risks and vulnerabilities to electronic protected health information. 

One reason this topic creates confusion is that many providers have already taken meaningful steps toward compliance. They may use a secure EHR, maintain HIPAA policies and procedures, sign Business Associate Agreements, complete trainings, or implement safeguards designed to protect client information. Those activities may be important parts of a compliance program, but they are not the same thing as a Security Risk Analysis. In many cases, they represent individual pieces of compliance rather than the process of evaluating how risks to electronic protected health information are identified, assessed, and managed throughout the practice.

Do Therapists Need a Security Risk Analysis?

Short Answer

Yes, if your practice creates, receives, maintains, or transmits electronic protected health information.

Full Explanation

A therapist does not need a large staff, multiple locations, or a complex technology environment for electronic protected health information to exist within the practice. Documentation systems, billing platforms, scheduling tools, email, telehealth platforms, cloud storage, and practice management systems may all be part of how client information is created, received, maintained, or transmitted.

This is where the requirement becomes more practical than many providers expect. The question is not whether a practice looks like a hospital or large healthcare organization. The question is whether electronic protected health information exists within the practice and whether risks to that information have been evaluated.

It can feel reasonable to assume this has already been handled by a vendor. If an EHR advertises HIPAA compliance, or a telehealth platform offers a Business Associate Agreement, it may seem like the major compliance work has already been completed. The challenge is that vendors evaluate their own systems. They do not evaluate how information moves through an individual therapy practice, who has access to it, how devices are used, how documentation is handled, or what risks exist within that specific workflow.

An SRA is the practice’s evaluation. It helps identify where electronic protected health information exists, where vulnerabilities may exist, and what safeguards are being used to reduce risk. OCR’s Guidance on Risk Analysis Requirements Under the HIPAA Security Rule describes risk analysis as a foundational element of Security Rule compliance because it helps organizations understand and address risks to electronic protected health information. 

What Counts as a Real Security Risk Analysis?

A real Security Risk Analysis is a structured evaluation of how electronic protected health information moves through a practice and where that information could be exposed. It is not simply a form, a checklist, a software report, or a one-time task completed when the practice first opens.

For therapists, the SRA often becomes an operational conversation. It looks at how clinical work, documentation, communication, billing, scheduling, telehealth, staff access, and vendor relationships interact with protected information. The point is not to create paperwork for its own sake. The point is to understand where client information exists, how it is being handled, and whether the safeguards in place are reasonable for the practice.

A meaningful SRA usually considers where electronic protected health information is created, stored, accessed, transmitted, and maintained. It also looks at who has access to that information, how access is managed, how devices are used, how records are retained, how communication occurs, and how vendors or connected systems interact with client information.

Two practices using the same EHR may still have very different risk profiles. One practice may have multiple clinicians, administrative staff, remote work arrangements, interns, shared office space, and several connected systems. Another may be a solo telehealth practice with fewer access points but different risks related to home office setup, device use, email, and cloud storage. The software may be the same, but the operational environment is not.

That is why a real SRA has to reflect the practice itself. It should document the areas reviewed, the risks identified, the safeguards already in place, and any decisions made about how risks will be addressed. The result should be a clear record of how the practice understands and manages risks to electronic protected health information.

What Does Not Count as a Security Risk Analysis?

Some compliance activities are important but still do not replace a Security Risk Analysis. This is where practices can have several responsible pieces in place and still not have completed the required analysis.

Using an EHR does not equal an SRA. An EHR vendor may secure its own platform, but it does not evaluate how your practice uses that platform, who has access, how information moves between systems, or what happens in your documentation and communication workflows.

Signing Business Associate Agreements does not equal an SRA. BAAs help define responsibilities between the practice and vendors that may handle protected health information, but they do not evaluate risks inside the practice itself.

Having HIPAA policies and procedures does not equal an SRA. Policies describe expectations for how information should be handled. A Security Risk Analysis evaluates how information is actually handled and where risks may exist.

Completing a cybersecurity scan does not equal an SRA. Technical scans can be useful, but they do not usually address documentation habits, staff access, supervision structures, communication patterns, or the way clinical workflows affect protected information.

Downloading a checklist or template does not equal an SRA. A checklist may help a practice think through certain areas, but it only becomes meaningful if it is used to evaluate the practice’s actual systems, workflows, risks, safeguards, and follow-up decisions.

The issue is not that these activities are unhelpful. Many of them are necessary parts of a broader compliance program. The issue is assuming that one of them replaces the structured evaluation that the SRA is meant to provide.

What Are the Most Common Security Risk Analysis Mistakes?

Security Risk Analyses can feel unfamiliar because they require therapists to look beyond the clinical relationship and examine how the practice functions operationally. Clinical training prepares therapists to think deeply about confidentiality, ethics, documentation, and client care. It does not always prepare them to evaluate risk across devices, platforms, access permissions, vendor relationships, staff workflows, and remote work environments.

One area where practices often run into problems is treating the SRA as a one-time project. A practice may complete something early in its development and then never revisit it, even after adding telehealth, changing systems, hiring staff, expanding services, or modifying communication workflows. Over time, the documentation no longer reflects how the practice actually operates.

Another issue is relying too heavily on technology. Secure platforms matter, but technology does not remove the need to evaluate how the practice uses those platforms. An EHR, encrypted email system, or telehealth platform may support compliance, but the practice still needs to understand how information moves through the full workflow.

Documentation is another common gap. A practice may talk through risks informally, make responsible adjustments, or have reasonable safeguards in place, but if the evaluation is not documented, it becomes difficult to demonstrate what was reviewed and why certain decisions were made.

For group practices, these issues become more layered. Additional clinicians, interns, supervisors, administrative staff, billing support, and shared systems create more access points and more opportunities for inconsistency. As the practice grows, the SRA needs to reflect the increased complexity of how information is handled across the organization.

How Often Should Therapists Update a Security Risk Analysis?

HIPAA does not give every practice one universal calendar date for updating an SRA, but the analysis should not be treated as something completed once and then filed away indefinitely. A Security Risk Analysis needs to remain connected to how the practice actually operates.

For many practices, reviewing the SRA at least annually is a practical standard. It gives the practice a regular opportunity to look at whether systems, workflows, staffing, vendors, devices, and communication methods still match what was previously documented.

Updates may also be needed when significant changes occur. That could include adopting a new EHR, expanding telehealth, hiring clinicians or administrative staff, changing billing systems, adding locations, modifying documentation workflows, changing communication tools, or adding technology that affects how electronic protected health information is handled.

The point is not necessarily to restart the entire process every time something changes. The point is to evaluate whether the change affects risk and whether the existing documentation still reflects the practice. When the practice changes but the SRA does not, the analysis can quickly become outdated.

What Documentation Should Exist After an SRA?

Completing the analysis is only part of the process. The practice also needs documentation showing what was evaluated, what risks were identified, what safeguards were in place, and what decisions were made in response.

This is where the SRA becomes more than an internal exercise. It creates a record of the practice’s risk management process. That record may include the scope of the evaluation, the systems and environments reviewed, areas where electronic protected health information exists, findings, safeguards, planned actions, and follow-up steps.

For a solo practice, the documentation may focus heavily on devices, documentation systems, telehealth, email, billing, scheduling, record storage, and home office or shared office arrangements. For a group practice, it may also include staff access, supervision structures, administrative workflows, onboarding, offboarding, permission levels, and vendor coordination.

The expectation is not that a practice has eliminated every possible risk. The expectation is that the practice can show it has identified risks, considered the impact of those risks, and taken reasonable steps to address them. Without documentation, even responsible efforts can become difficult to demonstrate later.

Is a Security Risk Analysis the Same as Being HIPAA Compliant?

A Security Risk Analysis is a required part of HIPAA compliance, but it is not the same thing as being fully compliant. This distinction matters because completing an SRA does not automatically mean every policy, safeguard, workflow, training requirement, vendor relationship, or documentation process is complete.

The SRA helps the practice understand where risks exist and what safeguards may be needed. From there, the practice still has to act on the findings, update policies and procedures when needed, train staff, manage vendors, monitor workflows, and revisit the analysis as the practice changes.

A practice can complete an SRA and still have gaps if the findings are not addressed. The analysis is the foundation, not the entire structure. It informs the rest of the compliance work by showing where attention is needed.

For therapists, this can be a helpful shift. HIPAA compliance is not something a practice finishes once and never revisits. It is an ongoing system of decisions, safeguards, documentation, and review. The SRA supports that system by helping the practice understand where electronic protected health information may be vulnerable and how those risks are being managed.

What Do HIPAA Audits and Investigations Look For?

When HIPAA questions arise, the focus is often on whether the practice can demonstrate what it did. Good intentions matter clinically, but compliance review usually depends on documentation, consistency, and whether the practice can show how risks were identified and addressed.

A documented SRA is often one of the first areas that receives attention because it shows whether the practice has evaluated risks to electronic protected health information. OCR’s Resolution Agreements and Civil Money Penalties archive includes multiple enforcement actions involving failures to conduct an accurate and thorough risk analysis, which is one reason this requirement carries so much weight.

For therapy practices, review questions may involve whether the SRA exists, whether it reflects current operations, whether policies match actual workflows, whether staff access is managed appropriately, whether vendors are addressed, and whether identified risks led to reasonable safeguards.

This is also where operational consistency matters. A practice may have written procedures that look organized, but if daily workflows do not match those procedures, the documentation becomes harder to rely on. The SRA helps connect written compliance expectations with what is actually happening in the practice.

A Security Risk Analysis Is a Foundation, Not the Finish Line

A Security Risk Analysis helps identify and evaluate risks to electronic protected health information, but it represents only one component of HIPAA compliance. Ongoing compliance also involves policies and procedures, workforce training, vendor oversight, documentation, and periodic review as the practice changes over time.

What Risk Areas Are Often Overlooked in Therapy Practices?

In mental health settings, risk often appears in ordinary workflows rather than dramatic security failures. Because these habits feel routine, they can be easy to miss unless the practice steps back and looks at how information actually moves.

Device use is one example. Therapists may use laptops, tablets, phones, or shared devices for documentation, scheduling, telehealth, messaging, or administrative work. Each device becomes part of the risk picture if it can access electronic protected health information.

Remote work and telehealth environments also matter. Conducting sessions from home, using multiple locations, or documenting outside a traditional office changes how privacy is maintained and how information is accessed, stored, and protected.

Communication workflows can introduce risk as well. Email, messaging, appointment reminders, voicemail, care coordination, and client follow-up may all involve protected health information in different forms. The level of risk depends on how those workflows are structured and whether safeguards are in place.

Group practices often need to pay closer attention to staff roles, supervision, access permissions, onboarding, offboarding, and documentation review. Interns, administrative staff, billers, supervisors, and clinicians may all interact with protected information differently, and the SRA should reflect how those roles are managed.

Vendor relationships and integrations also deserve attention. EHRs, telehealth platforms, billing tools, scheduling systems, cloud storage, email systems, and communication platforms may all interact with client information. The SRA helps the practice understand how those systems connect and where exposure may occur.

Looking for more therapist-focused HIPAA guidance?

Subscribe to receive educational articles, compliance updates, implementation resources, and practical tools from Guardian Clinical Essentials™.

What Should Therapists Do Next?

The first step is to determine whether your practice has a documented Security Risk Analysis and whether it reflects how the practice operates today. If the answer is unclear, that is useful information. It may mean the practice has compliance pieces in place but has not completed the structured evaluation that connects those pieces together.

From there, the next step is to look at how electronic protected health information moves through the practice. That includes documentation, communication, billing, scheduling, telehealth, devices, vendors, staff access, and any systems that create, receive, maintain, or transmit client information.

The goal is not to create a perfect compliance system overnight. The goal is to begin moving from assumption to documentation. A practice is in a stronger position when it can explain what risks were reviewed, what safeguards exist, what decisions were made, and what still needs attention.

For many therapists, the hard part is not understanding that client information should be protected. That part is already deeply familiar. The harder part is translating that responsibility into an operational process that can be documented, maintained, and updated over time.

If you need a structured way to complete and document your Security Risk Analysis, you can explore the available systems here:

Security Risk Analysis systems for therapists

Frequently Asked Questions

Do therapists need a Security Risk Analysis?

Yes, if the practice creates, receives, maintains, or transmits electronic protected health information.
Many therapy practices use electronic systems for documentation, scheduling, billing, telehealth, communication, or record storage. When electronic protected health information is involved, risks to that information need to be evaluated and documented.

Is a HIPAA risk assessment the same as a Security Risk Analysis?

Usually, yes.
Many people use the terms HIPAA risk assessment, Security Risk Assessment, and Security Risk Analysis interchangeably. In this article, SRA refers to the Security Risk Analysis required under the HIPAA Security Rule.

Does my EHR complete my Security Risk Analysis for me?

No.
An EHR vendor may secure its own platform, but it does not evaluate how your specific practice uses the system. Your practice still needs to evaluate access, workflows, devices, documentation habits, communication methods, and other areas where electronic protected health information may be exposed.

Does a Business Associate Agreement replace a Security Risk Analysis?

No.
A Business Associate Agreement helps define responsibilities between a practice and a vendor that may handle protected health information. It does not evaluate risks within the practice itself or replace the need for a documented SRA.

How often should a therapy practice update its SRA?

It depends, but at least annually is a common practice standard.
An SRA should also be reviewed when significant changes occur, such as adding telehealth, hiring staff, changing systems, expanding services, or modifying workflows that affect electronic protected health information.

What happens if a therapist does not have an SRA?

The practice may have difficulty demonstrating Security Rule compliance.
If questions arise during an audit, investigation, breach review, or internal compliance review, the SRA is often a key document showing how risks to electronic protected health information were identified and addressed.

Does a solo therapist need an SRA?

Yes, if electronic protected health information is involved.
HIPAA does not limit the SRA requirement to large organizations. A solo therapist using electronic documentation, telehealth, billing systems, email, or scheduling tools may still need to evaluate risks to electronic protected health information.

What should be included in a Security Risk Analysis?

It should reflect how electronic protected health information is handled in the practice.
This may include systems, devices, vendors, access permissions, documentation workflows, telehealth, communication methods, physical environments, and safeguards used to reduce risk.

About the Author

Samantha Schalk, LMSW-C, LMSW-M, CAADC, CIMHP, BCP3

Samantha is a licensed mental health professional, private and group practice owner, and the founder of Guardian Clinical Essentials™.

She helps therapists and group practices understand how compliance, documentation, privacy, technology, and practice operations work together in real-world clinical settings. Her work focuses on turning complex requirements into practical systems, policies, workflows, and implementation strategies that providers can actually use.

Drawing from experience in both clinical practice and compliance consulting, Samantha specializes in helping mental health professionals build defensible, sustainable systems that support both quality care and regulatory compliance.

Learn more about Samantha and Guardian Clinical Essentials™.

Samantha Schalk, LMSW-C, LMSW-M, founder of Guardian Clinical Essentials

Continue Exploring Guardian Clinical Essentials™

Looking for additional compliance, privacy, AI, documentation, and practice operations resources?

Explore the Guardian Clinical Essentials™ Resource Library for educational articles, implementation guidance, training opportunities, and practical resources designed specifically for mental health professionals.

This site uses cookies to enhance your experience and analyze site usage. By continuing, you consent to our use of cookies. For details, see our Cookie Policy.