Which HIPAA Security Rule provision requires a covered entity to conduct a security risk analysis?
The HIPAA Security Rule's administrative safeguards require a covered entity to conduct an accurate and thorough risk analysis of the potential risks to electronic protected health information and to implement security measures to reduce those risks.
The answer
The risk-analysis duty
45 CFR § 164.308 sets out the administrative safeguards a covered entity must implement, including a security management process that requires a risk analysis identifying potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. The same section requires a risk management process to reduce identified risks to a reasonable and appropriate level.
Administrative versus technical safeguards
The Security Rule separates administrative, physical, and technical safeguards. The risk analysis and risk management requirements live in the administrative safeguards; technical controls like access control and encryption are addressed in a distinct section and do not themselves house the risk-analysis obligation.
The judged input
What the AI drafted
Submitted to the judgeThis is an excerpt from a draft data-privacy compliance policy memo — the kind of work product a lawyer generates with a legal-AI drafting tool, then has to stand behind. Kingsfield does not write it; it rules on the citations the model put in it. This draft cites two authorities; one of them is wrong.
The judge ruled on every citation as the draft used it — it accepted 45 CFR § 164.308 and rejected 45 CFR § 164.312. Here is why.
The verdict
How Kingsfield ruled
Ruled 2026-06-23Each citation in the draft above was submitted to the Kingsfield judge and ruled against the primary-law corpus — Accept, Reject, or Inconclusive, per citation. These are live verdicts, not editorial. Each card shows the claim the draft made and the verbatim authority the verdict was rendered against.
The draft claimed: A covered entity must implement administrative safeguards, including a security management process that requires conducting a risk analysis of potential risks and vulnerabilities to electronic protected health information and a risk management process to reduce those risks.
“A covered entity or business associate must, in accordance with § 164.306:”
Cite found; proposition supported by the cited text.
The draft claimed: Section 164.312 is the Security Rule provision that requires a covered entity to conduct a security risk analysis of its electronic protected health information.
Cite found, but the cited text does not support the claim. 45 CFR 164.312 sets out the technical safeguards (access control, audit controls, integrity, authentication, and transmission security); the risk-analysis and risk-management requirements are in the administrative safeguards at 45 CFR 164.308. Regenerate with the correct authority.
Run your own work through the judge
Kingsfield rules on every citation, quote, and proposition your AI produces, against the primary law we cover. Accept, Reject, or Inconclusive, per citation, with a signed Audit Capsule.
Connect the Judge See the architectureThis page is legal information, not legal advice, and does not create an attorney-client relationship. The draft shown is an illustration of a typical AI answer; verdicts reflect the cited authority in the Kingsfield corpus as of the ruling date shown above.