Skip to main content
Notifications
You're all caught up.
View all notifications
OnlyHIPAA
← All documentation

Risk Analyses

A Risk Analysis is a formal, documented assessment of threats to your ePHI, following NIST SP 800-30. It's what satisfies the HIPAA Security Rule's requirement (45 CFR §164.308(a)(1)) for a written risk analysis — a standalone document you can hand an auditor.

This is distinct from the Risk Register: the register is an ongoing ledger of individual operational risks; a risk analysis is a point-in-time formal document built from threat scenarios.

Building an analysis

Create an analysis with a title, description, and scope (the system boundary it covers), plus a target review date. It starts in draft.

Then add threat scenarios, one per row. Each captures the asset, the threat source and threat event, the vulnerability, the existing controls, and a likelihood and impact (1–5) — the risk score is their product, mapped to a level from very-low to very-high. Record the risk decision (mitigate / accept / transfer / avoid), the recommended controls, the residual likelihood/impact after treatment, and the relevant HIPAA citation.

Lifecycle & export

An analysis moves draft → in review → approved → archived, with fields for who prepared, reviewed, and approved it. Print / PDF produces an audit-ready version of the finished document. There's no automatic recurrence — set a review date and revisit it on your own cadence (annually is typical).

Who can do what

Creating and editing risk analyses is org-admin only. The document is meant to be authored deliberately, not generated — you enter the threat scenarios that reflect your environment.

OnlyHIPAA

Making HIPAA compliance accessible for every healthcare organization.

HIPAA SOC 2 NIST CSF

View our security posture →

Product

  • Frameworks
  • Sherpa AI
  • Risk Analysis
  • Compliance Operations
  • Reporting
  • Integrations & API
  • Pricing

Company

  • About Us
  • Team
  • Mission
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • BAA Template
  • Security

Resources

  • Documentation
  • HIPAA Guide
  • Blog
  • Status Page

© 2026 OnlyHIPAA, Inc. All rights reserved.

OnlyHIPAA provides tools to assist with HIPAA compliance but does not constitute legal advice. Consult qualified legal counsel for specific compliance guidance.