A Risk Analysis is a formal, documented assessment of threats to your ePHI, following NIST SP 800-30. It's what satisfies the HIPAA Security Rule's requirement (45 CFR §164.308(a)(1)) for a written risk analysis — a standalone document you can hand an auditor.
This is distinct from the Risk Register: the register is an ongoing ledger of individual operational risks; a risk analysis is a point-in-time formal document built from threat scenarios.
Create an analysis with a title, description, and scope (the system boundary it covers), plus a target review date. It starts in draft.
Then add threat scenarios, one per row. Each captures the asset, the threat source and threat event, the vulnerability, the existing controls, and a likelihood and impact (1–5) — the risk score is their product, mapped to a level from very-low to very-high. Record the risk decision (mitigate / accept / transfer / avoid), the recommended controls, the residual likelihood/impact after treatment, and the relevant HIPAA citation.
An analysis moves draft → in review → approved → archived, with fields for who prepared, reviewed, and approved it. Print / PDF produces an audit-ready version of the finished document. There's no automatic recurrence — set a review date and revisit it on your own cadence (annually is typical).
Creating and editing risk analyses is org-admin only. The document is meant to be authored deliberately, not generated — you enter the threat scenarios that reflect your environment.