All medical practices and business associates must conduct a HIPAA Security Risk Analysis under the HIPAA Security Rule. Having the required documented will protect your organization from annual gaps in required information and documents.
Should the organization be investigated by the Office for Civil Rights (OCR) due to data breach or patient/disgruntled employee, the investigator may review at a minimum a 12 month look back on your documentation. You must have in place "recognized security practices" and that includes a security risk analysis. Fines and penalties may be reduced and even waived if you demonstrate these good faith efforts.
Even cash practices have been fined for not adhering to the HIPAA privacy rules. Best practice is to conduct a thorough risk analysis that includes the privacy and security rules. Aris' 7-Step platform does just that!