Free HIPAA Security Risk Assessment Checklist for Therapists

Q: Do I need to hire a consultant to do my SRA?

No. OCR's free Security Risk Assessment Tool (healthit.gov) is designed for small practices including solo therapists. Document your findings and risk remediation plan.

Q: What happens if I am audited and cannot produce SRA documentation?

Missing SRA documentation is one of the most commonly cited HIPAA violations. OCR has assessed fines of $10,000 to $100,000+ for this alone. A completed, dated SRA on file is your primary audit defense.

A 43-point checklist covering all four safeguard categories OCR auditors review. Print it, work through it, and document each item completed. This is the same framework federal auditors use during a HIPAA Security Rule investigation.

Updated May 2026 · Aligned with 2024 HIPAA amendments · Last OCR guidance incorporated

Administrative Safeguards

Physical Safeguards

Technical Safeguards

Policies & Documentation

Before you begin

The HIPAA Security Rule requires you to formally document your SRA — going through this checklist alone is not sufficient. You must write down your findings, your risk level for each item, and your plan to address gaps. Keep this documentation for at least 6 years.

Administrative Safeguards

12 items

Assign a HIPAA Security Officer (even if it is you)

Required for all covered entities regardless of size

Complete and document a Security Risk Analysis (SRA) within the past 12 months

The SRA is the #1 item OCR auditors check first

Develop a written Risk Management Plan based on SRA findings

Document how you are addressing each risk identified

Implement a Sanction Policy for workforce members who violate HIPAA

Required even for solo practices — you are the workforce

Establish Information Access Management procedures

Define who can access what PHI and under what circumstances

Conduct annual HIPAA training and document it

Keep records with date, attendee names, and topics covered

Implement a Security Incident Procedures policy

How will you respond if a breach or suspected breach occurs?

Create a Contingency Plan (backup and disaster recovery)

What happens if your EHR is down or data is lost?

Review and update all Business Associate Agreements (BAAs)

BAA required with EHR, email service, telehealth platform, billing service

Evaluate contractors and vendors for HIPAA compliance annually

Ask for their HIPAA attestation or SOC 2 report

Document workforce clearance procedures

Who gets access to PHI? Background checks if applicable?

Establish a termination policy for access revocation

Immediately revoke EHR and email access when staff leave

Physical Safeguards

7 items

Implement Facility Access Controls

Locked office, key cards, or equivalent for spaces with PHI

Create a Workstation Use policy

Clear screen when stepping away; no shoulder surfing

Implement Workstation Security measures

Password-protected screensaver, auto-lock after 5–10 minutes

Establish Device and Media Controls

Policy for disposing of old devices with PHI (wipe before disposal)

Document procedures for hardware relocation

What happens when you move offices or change computers?

Secure physical records (paper charts, intake forms)

Locked filing cabinets; shredder for disposal

Ensure telehealth sessions use a private physical space

Clients in waiting rooms must not be able to hear other sessions

Technical Safeguards

12 items

Enable full-disk encryption on all devices holding PHI

Laptops, tablets, phones — FileVault (Mac) or BitLocker (Windows)

Use unique user IDs for EHR access (no shared logins)

Every person who logs in needs their own credentials

Implement automatic logoff after a defined inactivity period

Most EHRs let you set this — 10–15 minutes recommended

Enable audit controls / access logging in your EHR

You need to be able to see who accessed which records and when

Use HIPAA-compliant email for all client communication

Gmail, standard Outlook, and Yahoo are not acceptable

Use a HIPAA-compliant telehealth platform

Standard Zoom, FaceTime, and Google Meet require signed BAAs

Enable multi-factor authentication (MFA) on all accounts with PHI

EHR, email, cloud storage, billing — all need MFA

Maintain regular encrypted data backups

Backup frequency should match how often you create new records

Test your backup restoration process at least annually

A backup you have never tested is a backup you cannot trust

Use a VPN on public Wi-Fi when accessing PHI

Coffee shops, airports, and hotel networks are not HIPAA-safe without a VPN

Verify your EHR encrypts data in transit and at rest

Ask your vendor for a BAA and their encryption documentation

Disable or control remote access to your systems

Remote desktop tools must require MFA and log all sessions

Policies & Documentation

12 items

Maintain a current Notice of Privacy Practices (NPP)

Must reflect the 2024 reproductive health care amendments

Post or distribute NPP to all new clients

Obtain and retain signed acknowledgment from each client

Document all HIPAA training sessions

Date, names, and topics — keep for 6 years

Keep copies of all signed BAAs

Retain for 6 years from execution or last effective date

Maintain a HIPAA breach log (even if no breaches occurred)

Document all security incidents, including near-misses

Have a written Breach Notification Policy

Who do you notify, in what timeframe, using what template?

Document your psychotherapy notes storage separately from the general record

Your EHR should allow separate storage — verify this is configured correctly

Create a minimum necessary PHI policy

Only access and share the minimum PHI needed for the purpose

Review and update all policies at least annually

Date-stamp each review even if no changes were made

Keep records of all HIPAA-related reviews and updates for 6 years

OCR can request documentation going back 6 years from the audit date

Ensure your intake forms comply with HIPAA minimum necessary requirements

Do not collect PHI you do not actually need for treatment

Establish a process for honoring client access requests within 30 days

The 2024 HIPAA updates tightened the access request timeline

Trusted by 225,000+ Therapists — Recommended for Therapist in

Get Your Practice 100% HIPAA Compliant in 2026

SimplePractice is the #1 HIPAA-compliant practice management platform built specifically for therapists. Includes secure messaging, telehealth, billing, and a signed BAA — everything you need to stay compliant and protect your clients.

Start Free Trial with SimplePractice →

30-day free trial · No credit card required

Need HIPAA-compliant email only? See Hushmail for Healthcare →

FAQ — HIPAA Security Risk Assessment

How often do I need to complete a HIPAA Security Risk Assessment?

Officially, the HIPAA Security Rule requires an SRA whenever there are significant changes to your environment — new technology, new staff, new location, or new business processes. In practice, OCR expects annual SRAs for small practices. Completing and documenting one per year is the safest approach.

Do I need to hire a consultant to do my SRA?

No. OCR's Security Risk Assessment Tool (available free at healthit.gov) is designed for small practices including solo therapists. You can complete it yourself. What matters is that you document your findings and your risk remediation plan — not who performs the assessment.

What happens if I am audited and cannot produce SRA documentation?

Failure to conduct and document an SRA is one of the most commonly cited HIPAA violations. OCR has assessed fines of $10,000 to $100,000+ specifically for missing SRA documentation. Having a completed, dated SRA on file is your primary defense in an audit.

My EHR vendor says they are HIPAA compliant — does that mean I am covered?

No. Your EHR vendor's compliance covers their systems, not your practice's processes. You are still responsible for your own administrative safeguards, workforce training, physical safeguards, and policies. The vendor's BAA covers their obligations — your SRA covers yours.

→ Take the Risk Calculator ← Back to home