HIPAA SECURITY RULE COMPLIANCE
HIPAA Security Risk Assessment.
A self-service HIPAA risk assessment mapped to the Security Rule. Answer 50 questions across 7 sections in about 15 minutes, and two branded PDF reports land in your inbox the moment you finish.
THE REGULATION
45 CFR § 164.308(a)(1)(ii)(A)
Requires every covered entity and business associate to conduct an accurate and thorough risk analysis of ePHI confidentiality, integrity, and availability.
THE ENFORCEMENT
OCR resolution agreements
The absence of a documented, accurate risk analysis is the single most-cited deficiency in HHS Office for Civil Rights enforcement actions. See the federal breach data behind it.
THE BUSINESS DRIVER
Insurance and customers
Cyber insurance renewals, hospital and payor vendor reviews, and SaaS procurement now all ask for a current SRA before proceeding.
SCOPE OF THE ASSESSMENT
Every safeguard the HIPAA Security Rule requires.
Z Cyber's SRA covers all 54 standards and implementation specifications across the four control families, plus the interaction with the Privacy Rule and Breach Notification Rule.
Administrative
§ 164.308- Security management process and risk analysis program
- Workforce security, training, and sanctions
- Information access management and access authorization
- Security incident response procedures
- Contingency planning, including data backup and disaster recovery
- Evaluation and periodic technical and non-technical reviews
- Business Associate contracts and arrangements
Physical
§ 164.310- Facility access controls and visitor management
- Workstation use and security
- Device and media controls, including disposal and reuse
Technical
§ 164.312- Access controls, unique user identification, and emergency access
- Audit controls and log review
- Integrity controls for ePHI
- Person or entity authentication
- Transmission security and encryption
Organizational, policies, and documentation
§§ 164.314 – 164.316- Business Associate Agreement adequacy
- Policies and procedures in scope and current
- Documentation retention and availability
- Breach notification readiness under § 164.400 series
THE DELIVERABLE
What you receive.
A complete, evidence-backed report that holds up under OCR audit, satisfies your insurance carrier, and gives your team a prioritized remediation plan.
Scoping document
Sized to your organization and environment, delivered within one business day of your submission.
Findings report
Every finding cites the relevant standard or implementation specification, includes evidence reviewed, a risk rating, and a recommendation.
Prioritized remediation roadmap
Findings ordered by risk and effort, with quick wins separated from program-level changes.
Executive summary
Board-ready. Translates findings into business risk and a clear path forward.
Attestation-ready documentation
Structured to drop directly into OCR audit responses, cyber insurance applications, and customer security reviews.
SEE WHAT YOU'LL GET
Every assessment ends with two branded PDF reports.
A clear letter grade and risk score, every finding mapped to the HIPAA Security Rule, and two branded reports delivered to your inbox: an Executive Summary for boards and insurers, and a Detailed Findings report for your team. Here is a preview of what you see.
Your HIPAA posture, scored across all seven sections of the Security Rule.
Findings by severity
Two branded reports land in your inbox the moment you finish: a Detailed Findings report mapped to every HIPAA Security Rule citation, and an Executive Summary for your board and insurers.
FREQUENTLY ASKED
Questions worth answering up front.
Who is required to conduct a HIPAA Security Risk Assessment?
How often does the SRA need to be performed?
What does Z Cyber actually deliver?
How is this different from a vendor questionnaire or template SRA?
What is the timeline?
What happens after the assessment?
FURTHER READING
Understand the Security Rule before you act on it.
New HIPAA Rules 2026: What to Do While the Final Rule Is Pending
The rule is not final yet, but the direction is clear. How to sequence the work before the deadline lands.
HIPAA Security Rule: Complete Compliance Checklist for 2026
Every standard and implementation specification, plus the artifacts auditors actually look for.
Healthcare Cybersecurity: HIPAA + NIST in One Platform
How Glance maps HIPAA Security Rule controls to NIST CSF without doubling your work.
Get the HIPAA documentation OCR and your insurer expect.
Take the free assessment to get your provisional score and reports, or reach out directly. A Z Cyber security advisor will respond within one business day.