Your Biggest Compliance Risk Is the One You Don’t See Coming

Most therapists assume they are compliant until an audit proves otherwise.

 

But without written HIPAA policies, a completed Security Risk Assessment, and your state’s rules documented, you are already out of compliance and you would likely fail an audit.

The Security Risk Analysis is the foundation of the HIPAA Security Rule and one of the most common enforcement findings cited by OCR.

 

Does using an EHR make me HIPAA compliant?

No.
An EHR is a tool, not proof of compliance.
HIPAA requires documented policies, a completed Security Risk Assessment, and ongoing risk management regardless of what software you use. Many fined providers had EHR systems but no documented risk analysis.

Get the Toolkit
Request Multi-State Quote

The State HIPAA Monitoring
Toolkit + SRA

A customizable, state-specific system that combines your federally required HIPAA Security Risk Assessment and the mental health laws that actually apply in your state, all in one editable, audit-ready format

HIPAA Security Risk Assessment for Mental Health Practices. Image is intended to represent digital product

The Compliance Gap You Did Not Know You Had

Here is what federal enforcement repeatedly finds:

  • Your EHR does not make you HIPAA compliant

  • HIPAA requires written policies and an annual Security Risk Assessment

  • Every state adds its own rules for minors, Medicaid, telehealth, retention, supervision, and more

Without these in writing, you risk:

  • Having no proof of compliance during an audit

  • Missing critical state requirements you never knew existed

  • Fines, ethics complaints, or board action against your license

And this is not rare. Licensing boards, insurance panels, and federal auditors request these documents every single year.
When you cannot produce them, you are already in violation, even if no breach has occurred.

And here is the part most therapists do not realize:
Providers are getting fined right now for failing to complete their Security Risk Assessments.

This Is Not Theoretical -
Providers Are Being Fined for Skipping SRAs

These are real enforcement actions from the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Every single one involved failing to complete a proper Security Risk Assessment (SRA) and the penalties were severe.

Deer Oaks Behavioral Health
 📄 The Trigger: Ransomware attack in August 2023 exposed PHI for more than 171,000 individuals.
 ⚠️ The Finding: OCR found Deer Oaks had not conducted an accurate and thorough risk analysis as required by HIPAA.
 💸 The Outcome: $225,000 settlement and a two-year corrective action plan requiring a compliant SRA and ongoing monitoring. (HHS OCR, July 7, 2025)

Anchorage Community Mental Health Services
 📄 The Trigger: Malware infection exposed ePHI for 2,743 individuals.
 ⚠️ The Finding: OCR determined the provider had not conducted a thorough risk assessment and was running outdated, unpatched software.
 💸 The Outcome: $150,000 settlement plus a corrective action plan mandating a complete SRA and security updates. (HHS OCR, December 2014)

Metro Community Provider Network (Denver)
 📄 The Trigger: Phishing attack compromised ePHI for 3,200 individuals.
 ⚠️ The Finding: OCR concluded the provider failed to perform a comprehensive risk analysis and lacked a formal risk management process.
 💸 The Outcome: $400,000 settlement and a multi-year corrective action plan, including a complete SRA. (HHS OCR, April 12, 2017)

Avoid These Penalties — Get Your SRA Done Now

Is a Security Risk Assessment required by law or just recommended?

Required.
HIPAA mandates an accurate and thorough risk assessment for any practice handling electronic protected health information. This is a legal requirement under the HIPAA Security Rule, not a best practice. Required under the HIPAA Security Rule, 45 CFR §164.308(a)(1)(ii)(A).

What You’ll Get

Instead of spending months piecing together policies, you will get a complete, editable system that:

  • Reveals Hidden Compliance Gaps
    Shows you exactly where your practice is out of alignment with HIPAA and your state’s rules before anyone else does.

  • Meets the Federal SRA Requirement
    Fulfills HIPAA’s mandatory Security Risk Assessment while adapting it to your state’s specific mental health laws.

  • Creates an Audit-Ready Paper Trail
    Professional, organized documentation you can hand to a licensing board, HIPAA investigator, or insurance panel.

  • Keeps Your Compliance Current
    Built-in structure to track tasks, assign responsibilities, and update records without starting over each year.

  • Provides State-Tailored Policies
    Editable policies and forms written for therapists and behavioral health providers, aligned with your license type and location.

Who This Toolkit Is For

Yes - The Security Risk Assessment Is Mandatory

  • Solo or group mental health practices

  • Clinical supervisors and compliance officers

  • Practice owners preparing for audits, Medicaid enrollment, or board reviews

  • Providers offering telehealth or services across state lines

HIPAA requires:

“An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”
– HIPAA 45 CFR §164.308(a)(1)(ii)(A)

This toolkit fulfills that requirement and integrates your state’s specific laws so you are covered on both fronts.

Designed for Ongoing Use

Use this toolkit:

  • Annually – to meet HIPAA’s compliance review requirement

  • When you add services, platforms, or staff – so your policies match your operations

  • After a suspected breach or complaint – to document corrective action

  • Before a board, Medicaid, or insurance audit – to prove compliance

Value & Pricing

Estimated Value: $3,250 – $4,150 if built through a compliance consultant or attorney.

Single-State Toolkit

     Regular Price — $2,497
Limited-Time Price — $1,497

Customized with your business name + watermark

Editable, internal-use license (solo or group)

Delivered in 3–5 business days

Multi-State Toolkits start at a Limited-Time Price of $1,997

Fully integrated compliance for each state you operate in

Custom-built to avoid conflicting rules and documentation gaps

Quote required for 2+ states

Get Your Security Risk Assessment

Licensing & Terms

  • One license = one practice location

  • Editable for internal use only

  • Includes watermark + locked headers/footers

  • Resale prohibited

  • Future legal updates not included but may be offered separately

FORMAT & DELIVERY

📥 Delivered within 3–5 business days

🖊️ Customized with your business name + watermark

🔐 Internal-use license (one business)

🖊️ Fully editable + customizable

📅 Reusable until regulations change

Security Risk Assessment Questions
Therapists Ask Most

Do therapists actually have to complete a Security Risk Assessment?

Yes.
HIPAA requires every covered entity to conduct an accurate and thorough assessment of risks to electronic protected health information. This is a federal requirement, not a best practice.

How often does a Security Risk Assessment need to be completed?

Best practice is annually or whenever practice changes occur.
There is no fixed annual requirement in HIPAA law. A Security Risk Analysis must be completed initially and updated whenever your practice changes or new risks emerge. Most compliance experts recommend reviewing it at least annually as a best practice.

What happens if I have never completed an SRA?

You are already out of compliance.
Failure to complete a Security Risk Assessment is one of the most common findings in federal enforcement actions. If a breach, complaint, or audit occurs, you may face penalties and be required to complete one under a corrective action plan.

Is a Security Risk Assessment only required for large practices or hospitals?

No.
HIPAA applies to solo providers and small practices as well.
Any practice that creates, receives, maintains, or transmits electronic protected health information must complete and maintain a Security Risk Assessment, regardless of size.

What exactly does a Security Risk Assessment evaluate?

It evaluates how your practice protects client information.
This includes devices, email, telehealth platforms, EHR systems, staff access, storage methods, and breach readiness. The goal is to identify vulnerabilities and document how you are addressing them.

Is this the same as a HIPAA checklist or training?

No.
A checklist or training does not replace a risk assessment.
HIPAA requires written analysis of risks and documented risk management steps. Education alone does not satisfy the Security Rule requirement.

Will completing an SRA prevent an audit?

No.
But not having one guarantees problems if you are audited.
A completed and maintained Security Risk Assessment demonstrates active compliance. Without it, you cannot show regulators or licensing boards that required safeguards are in place.

Does this include state laws or only federal HIPAA?

Yes, it includes both.
Federal HIPAA and your state’s mental health requirements must align.
State laws affect documentation, telehealth, minor consent, retention, and supervision. Integrating them into your SRA ensures your compliance reflects how your practice actually operates.

What kinds of penalties happen when SRAs are missing?

Financial settlements and corrective action plans are common.
Federal enforcement actions frequently cite failure to complete a Security Risk Assessment. Penalties may include fines, required monitoring, and multi-year compliance oversight.

Is an SRA a one-time document or something I maintain?

It must be maintained and updated.
HIPAA expects practices to review and update their risk analysis regularly. Each update should reflect current technology, staffing, and services.

Who should be responsible for completing the SRA in a practice?

Practice leadership is responsible.
Owners, compliance officers, or designated privacy and security leads typically oversee the process. Even in solo practices, responsibility cannot be delegated away.

What should happen after the Security Risk Assessment is completed?

Risk management and ongoing monitoring must follow.
HIPAA expects practices to address identified risks, update policies, and document corrective actions. A structured monitoring system helps ensure compliance stays current as your practice evolves.

What is the difference between a Security Risk Assessment and a Security Risk Analysis?

They are often used interchangeably. Under HIPAA, the requirement is an “accurate and thorough risk analysis” identifying vulnerabilities to ePHI, followed by risk management actions.

What law requires a Security Risk Assessment?

HIPAA Security Rule – 45 CFR §164.308(a)(1)(ii)(A)

Get the HIPAA + State Monitoring Toolkit & Security Risk Assessment

Stay audit-ready. Monitor your compliance. Protect your license.
Get the Toolkit

This site uses cookies to enhance your experience and analyze site usage. By continuing, you consent to our use of cookies. For details, see our Cookie Policy.

Cookie Policy