Risk analysis vs periodic security evaluation: two different HIPAA requirements

45 CFR 164.308(a)(1)(ii)(A) and 164.308(a)(8) are two separate HIPAA requirements with two different artifacts. Here's how each one differs.

By CoreFolio

Published May 26, 2026Verified May 27, 202616-minute read

A small practice asked recently: we just finished our risk analysis last month — does that count as the periodic security evaluation too? The short answer is no. They are two different requirements at two different sections of the Security Rule, with two different artifacts, methodologies, and Office for Civil Rights (OCR) audit protocol items. A practice can have a thorough risk analysis and still fail 45 CFR § 164.308(a)(8) — OCR has cited exactly that gap in resolution agreements, including the Metro Community Provider Network case (2017, $400,000) where investigators specifically noted the absence of documented evaluation records.

The confusion is understandable — both walk security posture, both touch the same Subpart C standards, and both produce dated documents. But OCR's audit protocol treats them as separate items, and so does the regulation.

What each rule actually requires

Risk analysis

45 CFR § 164.308(a)(1)(ii)(A): "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate."

This is a required implementation specification under the Security Management Process standard. It asks one question: what could harm our electronic protected health information (ePHI), how likely is each scenario, and how bad would it be? The output is a risk register — threats × vulnerabilities × likelihood × impact, prioritized.

Periodic security evaluation

45 CFR § 164.308(a)(8): "Perform a periodic technical and non-technical evaluation, based initially on the standards implemented under this subpart and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart."

This is its own standalone required standard — not an implementation specification, not addressable, no flexibility on whether to do it. It asks a different question: given the 18 Subpart C standards, where does our practice stand against each one? The output is a per-standard assessment — administrative safeguards under § 164.308, physical safeguards under § 164.310, technical safeguards under § 164.312 — with status (meets, partial, gap, not-applicable) and findings on each.

The two requirements live at different sections of the same rule for a reason. The Security Management Process drives the risk-based work. The Evaluation standard drives the rulebook-based work. OCR audit protocol items AS-1 (risk analysis) and AS-28 (evaluation) are separate questions because the underlying obligations are separate.

The differences that matter

Different questions answered

The risk analysis is threat-and-vulnerability-out. It starts with the ePHI assets — the EHR database, the patient portal, the email account holding referral PHI — and works outward into what could harm them. The output is calibrated by likelihood and impact.

The periodic security evaluation is rulebook-in. It starts with the Security Rule's 18 standards and works inward into the practice's posture. The output is calibrated by status against each standard.

A risk analysis can identify "no multi-factor authentication on the EHR" as a high-likelihood, high-impact vulnerability without ever explicitly naming 45 CFR § 164.312(d). A periodic security evaluation will name § 164.312(d) and mark it partial or gap, regardless of how the analysis rated the underlying risk. OCR investigators read both and expect them to be coherent with each other — but they are not substitutes.

Different artifacts produced

A defensible Risk Analysis Report contains a scoped asset inventory, threat inventory, vulnerability inventory, likelihood and impact ratings on each threat–vulnerability pair, the resulting risk levels, and the basis for each rating. NIST Special Publication 800-30 Revision 1 is the methodology OCR recognizes.

A defensible Periodic Security Evaluation Report contains a dated walkthrough of every Subpart C standard, with per-standard status findings, evidence the evaluator reviewed (policies, procedures, logs, training records, audit reports), action items opened for any partial or gap finding, signoff by the Security Officer, and a retention statement covering the six years 45 CFR § 164.316(b)(2)(i) requires. NIST Special Publication 800-66 Revision 2 § 5.7 is the methodology guidance.

Different inputs (the evaluation often consumes the risk analysis)

This is where practices conflate the two: the periodic security evaluation usually uses the current Risk Analysis Report as one of its inputs. The evaluator looks at the risk register when reviewing § 164.308(a)(1) (Security Management Process) and at the risk management decisions when reviewing each addressable specification. But consuming a document as an input is not the same as the document being the output. The risk analysis informs the evaluation; the evaluation produces its own dated record.

Different OCR audit-protocol items

OCR's audit protocol carries separate questions for each. Audit item AS-1 asks the covered entity to produce its risk analysis. Audit item AS-28 asks the covered entity to produce documentation of periodic evaluation. An investigator who only finds the risk analysis is missing half the answer.

Why they cannot be the same document

Practices sometimes ask whether a single combined assessment can satisfy both standards. It cannot, for the same reason a risk analysis cannot double as a gap analysis:

Different inputs. The risk analysis takes asset inventory, threat intelligence, and vulnerability scans as inputs. The evaluation takes the Security Rule text and the practice's policies and procedures as inputs.

Different processes. Risk analysis runs a likelihood-and-impact calculation across threat–vulnerability pairs. Evaluation runs a status check across each of the 18 Subpart C standards.

Different outputs. Risk analysis produces a risk register and informs the Risk Management Plan. Evaluation produces a per-standard status record and informs action items that may or may not become risks.

Different audiences. Risk analysis answers "what are we doing about the biggest threats?" Evaluation answers "are we following our own rulebook against the Security Rule?"

A document that tries to do both typically does neither well — the threat-based findings get diluted by rulebook language and the rule-based findings get diluted by risk ratings. OCR investigators who read these documents are accustomed to the two separate shapes and will mark a combined document as insufficient on both standards.

The structure of defensible evidence for each

A defensible Risk Analysis Report

Scope: Every system, device, vendor, and workforce role that creates, receives, maintains, or transmits ePHI
Threats inventory: Adversarial, accidental, environmental, and structural threats applicable to the practice's environment
Vulnerabilities inventory: Per-system and per-process weaknesses the threats could exploit
Risk register: Threat × vulnerability pairs with likelihood, impact, and resulting risk level (typically a 5×5 matrix)
Methodology: Explicit reference to NIST SP 800-30 Revision 1
Date, attribution, and revision history

A defensible Periodic Security Evaluation Report

Scope statement: The 18 Subpart C standards in CFR citation order
Per-standard walkthrough: For each standard — citation, current practice status (meets / partial / gap / not-applicable), evidence reviewed, findings
Severity-tiered findings summary: High (immediate action), medium (90 days), low (next annual cycle)
Action items opened: Cross-referenced into the Risk Management Plan when a finding rises to a risk-management decision
Signoff: Security Officer attestation, dated
Retention statement: Six years under § 164.316(b)(2)(i)

Both follow the same evidentiary discipline — dated, attributed, retained, revision-controlled — but their bodies look nothing alike.

The cost compared

The risk analysis is one piece of a much larger documentation file. A small practice operating under the federal HIPAA Security and Privacy Rules needs roughly 45 documents — policies (Workforce Security, Sanction, Audit Controls, Workstation Use, and the rest), procedures (Security Incident Response, Emergency Access, Periodic Security Evaluation, and the rest), designations (Security Officer, Privacy Officer), logs (Access, Sanctions, Accounting of Disclosures, and six more), vendor templates (Business Associate Agreement, security attestations), forms (Patient Authorization, Notice of Privacy Practices acknowledgment), and the three dated reports from the assessment (Risk Analysis Report, Risk Management Plan, 2026 Readiness Gap Report). Each is dated, attributed, and retained for six years.

Building that file from a blank page is the single largest hidden cost in HIPAA compliance for small practices. Maintaining it — annual reviews, regulatory updates when rules move, re-running the risk analysis on cycle — is the second.

The people who actually do this work in a small practice are not the cheapest hour on the floor. An office manager (about $30/hour per the U.S. Bureau of Labor Statistics, May 2023) drafts and customizes the documents. The practice owner or physician (about $90/hour for dentistry, $115/hour for family medicine, BLS) reviews and signs off on every substantive policy decision. A Security Officer or senior staff member (about $50/hour) often owns the risk-management work. A blended $50/hour captures that mix conservatively, and materially undercounts practices where the owner does most of the review.

Small practices also typically pay a healthcare attorney for an initial review of the documentation file the first time it is built — the Business Associate Agreement language, the Notice of Privacy Practices, the policies that need state-law adaptation — and again whenever federal rules materially change. Healthcare- attorney rates for HIPAA work run $350–$500/hour; the initial review of a full federal file is 10–20 hours. With CoreFolio, the practice's attorney is reviewing a built file rather than a blank page, and the review collapses to a focused 2–4 hours on practice-specific adaptations.

The math, with practice labor at the blended $50/hour and legal review at $400/hour:

	DIY (from scratch)	With CoreFolio HIPAA Digital Binder ($99/month)	Net savings
Year one buildout — full federal file plus initial risk analysis	120–180 hrs of practice labor ($6,000–$9,000) + 10–20 hrs of healthcare-attorney review ($4,000–$8,000). Total: $10,000–$17,000	15–25 hrs of practice labor ($750–$1,250) + 2–4 hrs of focused legal review ($800–$1,600) + $1,188 subscription. Total: $2,738–$4,038	$6,000–$14,000
Year two onward, calm year — annual reviews + the annual risk-analysis re-run	35–55 hrs · $1,750–$2,750/year	5–10 hrs ($250–$500) + $1,188 subscription · $1,438–$1,688/year	$60–$1,300/year
A year a federal rule moves — calm-year work plus document rewrites and re-attestation against the new rule	+30–60 hrs of practice work and 4–8 hrs of legal review · $3,100–$6,200 extra in that year	Refreshed templates and regulation-change alerts land in the binder; focused legal review of practice-specific changes (1–2 hrs) · $400–$800 extra in that year	$2,300–$5,800 extra in that year

First-year total savings run $6,000–$14,000. The legal-review line is doing roughly as much work as the practice-labor line; both shrink because the practice is starting from a built file rather than a blank page — the work for the practice and the work for the attorney both collapse to practice-specific adaptations.

Year two onward is where the subscription earns its keep, for two reasons the calm-year row alone does not show:

Disciplined DIY maintenance is the part that quietly fails in most small practices. Stale risk analyses, undated policy revisions, and missing attestations are what OCR cites in nearly every Risk Analysis Initiative settlement. The subscription's quarterly review reminders and dated revision history are a forcing function — every document carries its review-due date and is re-dated when attested. The labor math above captures the work done; it does not capture the work not done that becomes the audit finding three years later.
Federal rules move on a schedule the practice does not control. The proposed 2026 Security Rule is the visible example — small practices with a current DIY file in early 2026 will spend 30 to 60 hours rebuilding sections of it once the rule is finalized, plus 4 to 8 hours of healthcare-attorney review of the changes. The subscription absorbs the work: refreshed templates land in the binder, regulation-change alerts surface what needs attention, and the legal-review burden shrinks to 1–2 hours of practice-specific adaptations. The savings in any single rule-change year ($2,300–$5,800) are roughly two to five times the subscription's annual cost.

What the math above still does not capture. Three real costs of DIY that resist line-item quantification — all favoring the subscription:

Opportunity cost. Every hour the office manager spends drafting a Sanction Policy is an hour they are not running insurance verification, following up on denied claims, or scheduling patients. In small practices where admin staff are the binding constraint on revenue-cycle work, displaced hours show up as delayed claims and patient-experience friction.
Workforce-turnover survival. When the person who built the DIY file leaves, institutional knowledge often leaves with them, and the next person spends 20 to 40 hours reconstructing what the file contains and where each document lives. The binder is the source of truth regardless of who is reading it; turnover does not erase what is in the system.
Stress and audit anxiety. Small-practice owners describe HIPAA documentation as the work that lives at the bottom of every weekly to-do list, gets pushed for months at a time, and surfaces as a panic project when a vendor questionnaire or an OCR inquiry lands. The subscription does not eliminate the work; it makes the work routine instead of episodic.

The subscription is more than labor savings. It keeps your federal HIPAA documentation file dated, attributed, version-controlled, and current — so when OCR or an auditor opens an inquiry, the answer is in one place with the dates and signatures that show it has been maintained on cycle. Building that file is the cost the table above quantifies; not having it built on the day OCR opens an inquiry is the cost the table cannot quantify at all.

What to do this month

If you have neither artifact, start with the risk analysis. It is the foundational document — every other Security Rule activity, including the periodic evaluation itself, references it. The evaluation can be scheduled after the risk analysis is current.

Confirm what you have. Pull every document your practice currently calls a "risk assessment," "security evaluation," "compliance review," or "gap analysis." Date them. If anything is older than 12 months, assume OCR would treat it as stale.
Identify which is which. Does the document walk threats and produce a risk register? It is a risk analysis. Does it walk the 18 Subpart C standards and produce status findings? It is a periodic security evaluation. Many practices discover they have one but not the other.
Schedule the work. Block calendar time. The risk analysis alone runs 10–18 hours from scratch; the full federal HIPAA documentation file (the ~45 policies, procedures, designations, logs, vendor templates, and forms) adds another 100–160 hours of drafting if you are building from a blank page. The periodic security evaluation walking the 18 Subpart C standards takes another 4–8 hours once the risk analysis is current. The table above puts those hours into dollars.
Designate the Security Officer. Both artifacts require named attribution under 45 CFR § 164.308(a)(2). If you have not formally designated yours, do that first — the designation memo is the prerequisite to either document.

What CoreFolio produces

CoreFolio's free Risk Assessment. Walks the assessment in about 60 minutes and shows where your gaps are as you answer. The free tier is designed to scope the work — it surfaces your gaps without producing a dated PDF artifact. Your answers stay in your browser. The free assessment is the right tool to decide whether subscribing makes sense for your practice.

CoreFolio HIPAA Digital Binder ($99 per month). Produces the three dated PDFs OCR enforcement makes essential — the Risk Analysis Report, the Risk Management Plan, and the 2026 Readiness Gap Report — and ships the federal fill-in templates covering the rest of the file: the policies, procedures, designations, logs, vendor agreements, and forms a small practice's HIPAA file needs. Quarterly review reminders and federal regulation-change alerts keep the documentation current between annual cycles. Workforce training is included as well — Security Training and General HIPAA courses. Training is a separate Security Rule requirement under § 164.308(a)(5).

What the math above shows. The free assessment scopes your gaps in about 60 minutes. The Digital Binder additionally renders the dated PDFs and ships the federal documentation a small practice needs — Business Associate Agreement, Notice of Privacy Practices, Workforce Security Policy, Contingency Plan, Sanction Policy, the operational logs, the procedures, and the rest. The practice's work shrinks to walking the assessment, customizing the templates with practice-specific details, and dating and signing — about 15 to 25 hours in year one. The subscription's quarterly review reminders and federal regulation-change alerts handle the year-two-and-onward maintenance that, done from scratch, is the larger of the two cost buckets in the table above.

What about the periodic evaluation? OCR audits look for both the risk analysis and the periodic security evaluation as separate artifacts with separate dates, separate attributions, and separate retention. CoreFolio does not perform the per-standard walkthrough on the practice's behalf; that work belongs to the Security Officer. The Digital Binder ships the Periodic Security Evaluation Procedure and its paired evidence record so the Security Officer has the documentation template to fill in.

Sources

45 CFR § 164.308(a)(1)(ii)(A) — Risk analysis (required implementation specification under the Security Management Process standard). ecfr.gov
45 CFR § 164.308(a)(8) — Standard: Evaluation. ecfr.gov
45 CFR § 164.316(b)(2)(i) — Six-year documentation retention. ecfr.gov
HHS Office for Civil Rights, HIPAA Audit Protocol — items AS-1 (risk analysis) and AS-28 (evaluation) treat the two requirements as separate audit questions. hhs.gov
HHS Office for Civil Rights, Guidance on Risk Analysis Requirements under the HIPAA Security Rule (2010). hhs.gov
NIST Special Publication 800-30 Revision 1 — Guide for Conducting Risk Assessments (2012). The methodology OCR recognizes for the risk analysis. csrc.nist.gov
NIST Special Publication 800-66 Revision 2 — Implementing the HIPAA Security Rule (October 2022). § 5.7 covers the periodic security evaluation. csrc.nist.gov
U.S. Bureau of Labor Statistics, Occupational Employment and Wage Statistics, May 2023 — basis for the blended $50/hour practice-labor assumption in the comparison table, which mixes First-Line Supervisors of Office and Administrative Support Workers (about $30/hour mean), Family Medicine Physicians (about $115/hour mean), and Dentists, General (about $90/hour mean). The healthcare-attorney rate of $350–$500/hour reflects publicly reported HIPAA-counsel billing ranges; the table uses $400/hour as a midpoint. bls.gov
HHS OCR Resolution Agreement — Metro Community Provider Network (April 2017, $400,000). § 164.308(a)(8) cited as a standalone finding for the absence of documented evaluation records, separate from the risk analysis findings. hhs.gov

Last verified: 2026-05-27. Sources current as of that date. This article is educational and does not constitute legal advice; share findings with your privacy officer or counsel before acting on them.

FAQ

Common questions

Is the periodic security evaluation the same as the risk analysis?

No. The risk analysis (45 CFR § 164.308(a)(1)(ii)(A)) identifies threats and vulnerabilities to your electronic protected health information and rates the resulting risks. The periodic security evaluation (45 CFR § 164.308(a)(8)) walks every Security Rule standard and assesses how well your policies, procedures, and controls actually meet each one. Different inputs, different outputs, different CFR citations.

Can the same document satisfy both requirements?

No. They are methodologically different: the risk analysis is threat-based and produces a risk register; the periodic security evaluation is rule-based and produces a per-standard assessment. A combined document typically fails OCR review because the evaluation findings get diluted into risk language and the risk ratings get diluted into compliance status.

Does HIPAA require both annually?

Both are required ongoing activities. The current rule does not specify a cadence for either, but the Office for Civil Rights treats both as presumptively stale after 12 months. The proposed 2026 Security Rule would write annual cadence into the risk analysis requirement explicitly. Many practices align them on the same cycle because the evaluation often uses the risk analysis as one of its inputs.

Keep learning

How-to
How to do a HIPAA risk analysis yourself: a step-by-step guide for small practices
The Security Rule requires every covered entity to conduct an accurate, thorough risk analysis. Here is what that actually means, what it has to contain, and how to do it yourself — or prepare for a focused consultant review.
May 14, 20266-minute read
How-to
Risk analysis vs gap analysis: which does your practice need?
The difference between a HIPAA risk analysis and a gap analysis, which the Security Rule requires, and when you need both.
May 18, 20266-minute read
How-to
How often to update your HIPAA risk analysis (and why annual is the floor)
OCR treats risk analyses older than 12 months as presumptively stale. Here's when to update, what triggers immediate review, and how to document the cycle.
May 18, 20267-minute read