A complete OCR-Quality® Risk Analysis Solution, trusted by hundreds of healthcare organizations

Conducting a "by-the-book" HIPAA security risk analysis that evaluates threats and vulnerabilities to all information assets/systems used to receive, create, transmit, or store ePHI, while also complying with strict guidance from the Office for Civil Rights, is no small task. Completing an enterprise-wide, information system-based, QCR-Quality risk analysis correctly requires the right tools, expertise, and resources.

Take our HIPAA Security Risk Analysis Self-Review survey and find out where your stands in relation to meeting requirements.

The Right Tools

Our HIPAA Risk Analysis solution combines our proven methodology and systematic process with our proprietary, preconfigured IRM|Analysis® software to deliver a complete view of exposures across your enterprise.

The HIPAA Security Rule sets out an explicit requirement to complete a periodic risk analysis at 45 CFR §164.308(a)(1)(ii)(A):

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).

IRM|Analysis® will enable your organization to meet the HIPAA Security Rule requirement for risk analysis as well as similar requirements found in many other regulations.

“90% of OCR Enforcement cases involving ePHI cite an insufficient risk analysis.”

Does your risk analysis meet guidance requirements?

Risk Analyses performed by, or in consultation with, Clearwater have been accepted by the Office for Civil Rights 100% of the time. 

OCR-Quality Risk Analysis®

Learn more about the best-in-class features of IRM|Analysis® in this overview video:

The Right Expertise

Proven Methodology

An Efficient Risk Analysis Process Saves You Time and Money.

Demonstrate regulatory compliance and use the results from your Risk Analysis to make more informed information risk management decisions.


Together we will form a Project Team, provide your organization with educational materials, and plan the entire process. We will work with your team to help you:


During one or more on-site Risk Analysis sessions, we will:

  • Perform walkthroughs and interviews
  • Document controls
  • Evaluate threats and vulnerabilities applicable to components of each information system with ePHI
  • Determine risk level based on impact and likelihood following the NIST 800-30 process

Our IRM|Analysis® software will:

  • Dynamically create reports and dashboards
  • Identify all risks above your threshold, along with pertinent details
  • Allow risk registries to be printed directly from the software

Additionally, we will prepare a summary Findings, Observations, and Recommendations (FOR) Report to help you prioritize your next steps.


As a member of our Clearwater community you will have access to:

  • Excellent concierge support
  • Monthly customer council meetings
  • Dedicated help center

We stand behind our solutions and will always be there to support you.

The Right Resources

Fast Start. Sustained Success.

The Clearwater HIPAA Risk Analysis Solution

Clearwater provides the most comprehensive risk analysis solution for health systems and their business associates, while maximizing efficiency and minimizing disruption to your organization.

Information system discovery and Entity Hierarchy™ design

Professional consulting services to complete the risk analysis process, end to end, including fully populating your IRM|Analysis® application

Risk analysis report with findings, observations, and recommendations

Subscription for Clearwater’s IRM|Analysis® SaaS software

In-depth training for your staff on a sustainable and repeatable risk analysis process and use of the Clearwater IRM|Analysis® software to perform future periodic risk analyses

Go Beyond Compliance

Information security risk analysis has been a requirement in privacy and security regulations across industries for many years. However, compliance with regulations does not necessarily imply an organization has a “secure” information systems environment. Clearwater’s HIPAA Risk Analysis solution provides you with visibility into your organization’s greatest cybersecurity risks. It helps you to make more informed security investment decisions, manage risk as a continuous process, as well as strengthen and maintain your information security program.

Risk Analysis Educational Resources 

Find White Papers, Blogs, and On-Demand Webinars about Risk Analyses in our extensive library of educational resources.

30-Minute Guide to Hiring The Best Risk Analysis Company

What to Look for in a HIPAA Risk Analysis Company & Solution

We are often asked, “How do I go about selecting a reputable firm to complete an OCR-Quality HIPAA Security Risk Analysis that will meet the requirements of HIPAA and the Promoting Interoperability Program, satisfy the risk analysis component of an OCR Audit, OCR Investigation or CMS Meaningful Use/ Promoting Interoperability Audit, and reduce our risks of a breach or investigation?”

This Guide answers that question and provides an easy-to-use Security Risk Analysis Buyer's Guide Checklist to assist you in comparing alternative solutions and making your selection.

Interested in how we can help your organization with HIPAA risk analysis?