200+ Question SRA by a Former HHS Investigator

HIPAA Risk Assessment
Built to Survive OCR

A defensible Security Risk Assessment (SRA) — 200+ questions, conducted directly with you by a former HHS Assistant Inspector General. Not a software scan. Not a checklist. The kind that holds up under federal review.

Conducted by Jay directly Documented findings Remediation roadmap

Book a Free Scoping Call

15 minutes with Jay to scope whether you actually need an SRA, what it would cover, and what OCR will be looking for.

15 minutes. No obligation. If a software scan would satisfy your needs, we'll tell you.

200+

Questions per assessment

40+

Years HIPAA & federal enforcement

200+

Organizations served

HHS

Former Asst. Inspector General

Most "risk assessments" aren't the kind OCR wants to see.

The HIPAA Security Rule requires an "accurate and thorough" risk analysis. That language is deliberate — and it's the reason most organizations can't satisfy what the HHS Office for Civil Rights (OCR) — the federal agency that enforces HIPAA — actually expects when it reviews your documentation.

Here's what we see in almost every organization we assess:

71% of small-to-mid-sized organizations have never conducted a proper SRA.

The ones who have often confuse a compliance checklist or a vulnerability scan with the "accurate and thorough" assessment the HIPAA Security Rule actually requires. They're not the same thing.

Software scans find vulnerabilities. SRAs identify risks.

A vulnerability scanner tells you which server is missing a patch. An SRA tells you which administrative, physical, and technical safeguards are missing, whether your workforce actually follows them, and what your specific organization's exposure looks like. Those are different questions — and only one of them satisfies OCR.

"We did one 18 months ago" isn't current.

HHS guidance recommends annual review, and OCR typically expects SRAs to be updated whenever you implement new technology, change operations, or experience a breach. An old assessment isn't defensible — and the first thing OCR asks to see is the current one.

A real SRA is a conversation, not a questionnaire you fill in alone.

"75% of 2025 OCR enforcement penalties cited failure to conduct a risk analysis — the single most penalized deficiency in HIPAA history."

What a defensible assessment actually gives you.

The deliverables from a proper SRA aren't a dashboard. They're a documented set of findings, a prioritized remediation roadmap, and the paper trail OCR will ask for first.

Documented findings report

A written report of threats, vulnerabilities, and risk ratings across administrative, physical, and technical safeguards. Findings are mapped to the HIPAA Security Rule citations so you know exactly which requirement each addresses.

Prioritized remediation roadmap

Not a flat to-do list. A risk-weighted plan — what to fix first, what can wait, what's low-probability-but-high-impact. Built so you can work through it at a realistic pace without leaving the biggest gaps open.

The paper trail OCR asks for

When an investigator opens a file, the first question is "Where's the risk assessment?" You'll have one — current, thorough, mapped to the rule, defensible. The response to that question is the difference between technical guidance and a corrective action plan.

Annual refresh path

The SRA isn't a one-time artifact. You get a documented process for the annual update — what's changed, what's new, what needs to be reassessed — so next year's refresh is a walkthrough, not another full rebuild.

In roughly 85% of cases, organizations with a comprehensive, defensible risk assessment in place receive technical guidance from OCR rather than penalties or a corrective action plan. That's the outcome a proper SRA is designed to produce.

Book a Free Scoping Call

15 minutes to scope. No obligation.

The investigator is now on your side.

Jay Hodes

Jay Hodes

President — Colington Consulting

Former Asst. Inspector General, HHS

Jay served as Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services — the agency that enforces HIPAA. He's been on both sides of HIPAA investigations: the federal enforcement side that writes findings, and the client side that has to defend against them.

When Jay conducts a risk assessment, he does it with the same framework federal investigators use to evaluate one.

With 40+ years of combined experience in risk assessments, regulatory compliance, and federal law enforcement management, Jay has personally conducted thousands of assessments — from solo practices to multi-state enterprises with 120 locations and 12,000 employees.

He's not going to sell you something you don't need. He recently told a company they didn't need HIPAA compliance at all — they weren't a covered entity or business associate. If a software tool would actually satisfy your situation, he'll tell you that too.

Fmr. Asst. Inspector General, HHS
Expert witness in HIPAA litigation
80+ published articles on HIPAA
Top 10 HIPAA Consulting Firm (2020, 2024, 2025)

"An SRA isn't a checklist — it's a judgment call about your organization's specific exposure. Software can't make that call. I can."

What's in the 200+ question assessment.

The assessment is structured around the HIPAA Security Rule safeguards framework — the same structure OCR uses when it reviews your documentation.

Administrative safeguards

Security management, workforce security, information access management, security awareness and training, contingency planning, evaluation.

Physical safeguards

Facility access controls, workstation use and security, device and media controls. Applies even if you operate 100% remotely.

Technical safeguards

Access control, audit controls, integrity, person or entity authentication, transmission security. The part people think is all of HIPAA — it's not.

Organizational requirements

Business Associate contracts and arrangements. How you manage your vendor chain and subcontractor obligations under HIPAA.

Policies, procedures & documentation

The six-year retention requirement, regular review cycles, and the ability to produce any document OCR asks for — on demand.

Breach notification readiness

Whether your incident response procedures would actually satisfy the 60-day notification rule and the four-factor risk assessment if something happened tomorrow.

The full 200+ question set walks through each of these sections methodically — with Jay explaining what each question means, why OCR cares about it, and what a defensible answer looks like for your specific organization.

How the assessment actually works.

1

Free scoping call (15 minutes)

Jay talks through your organization — size, locations, technology, workforce, any prior assessments. By the end of the call you'll know the scope of your assessment and whether you need one in the first place.

2

Intake questionnaire (1 week)

You complete a baseline questionnaire (~5 pages) so Jay arrives to the assessment with context — systems, workflows, existing documentation. This is the only part you do alone, and it doesn't require any specialized compliance knowledge.

3

Expert-led assessment (scheduled sessions)

Jay walks you through all 200+ questions in real-time — not a link, not a portal. If you don't understand a question, he explains what it means, why OCR cares, and what a defensible answer looks like. This is the part that separates a real SRA from a compliance checklist.

4

Findings report + remediation plan

You receive a documented findings report with risks mapped to the HIPAA Security Rule sections, plus a prioritized remediation plan so you know exactly what to fix first, second, and later. All of it is written — nothing stuck in a dashboard.

5

Annual refresh & ongoing support

The SRA isn't done once and forgotten. OCR guidance expects annual review, and if your organization implements new technology or changes operations, that's a trigger for an update. We maintain the documentation year over year so you're always current.

Start With a Scoping Call

15 minutes. No obligation.

Questions we hear on every SRA call.

Software risk assessment tools send you a link with 200+ questions and expect you to answer them on your own. If you don't understand a question — and most people don't if they're not compliance specialists — you're stuck. You either guess, skip it, or book consulting time with the vendor anyway. Our assessment is conducted live with Jay walking you through every question in real-time, explaining the context, and making judgment calls you can't automate. You pay once and you're done.

No one can guarantee the outcome of an OCR audit — that depends on what OCR finds across your entire program, not just the SRA. But what we can tell you is that a documented, current, thorough risk assessment mapped to the Security Rule citations is the first thing OCR asks for, and having one dramatically changes the tone of the investigation. Organizations with defensible programs typically receive technical guidance rather than corrective action plans. Organizations without one don't.

Most assessments are completed in a few weeks end-to-end, depending on your organization's size and complexity. The questionnaire takes a few days on your side. The assessment sessions with Jay are typically split across multiple calls so you don't have to block out a full day. The findings report follows within a week of the final session.

A written findings document structured around the HIPAA Security Rule safeguards, with specific threats and vulnerabilities identified per safeguard area, risk ratings, and a clear map of which regulatory requirements each finding addresses. Alongside the findings, you get a prioritized remediation roadmap so you know which gaps to close first. Both are delivered as documents you own — not locked inside a platform.

HHS guidance recommends annual review, and OCR typically expects SRAs to be updated whenever you implement new technology, change operations, move locations, or experience a security incident. The annual refresh is much lighter than the initial assessment — it's a focused review of what's changed, not a full rebuild.

Every engagement starts with a Statement of Work tailored to your organization's size, locations, and scope. The free 15-minute scoping call gives you a clear picture of what the assessment covers and what it costs — before any commitment. No surprise pricing, no annual subscription traps.

Start with a scoping call.

15 minutes with Jay to scope the assessment, tell you what OCR will be looking for, and decide whether you actually need an SRA in the first place. No obligation. No sales pitch.

What happens next: You'll pick a time on the next page. Jay calls you for a 15-minute scoping conversation.

Prefer to call? 844.740.7100

Book a Free Scoping Call