The Security Rule requires that covered entities and business associates periodically perform a HIPAA security risk assessment. To highly summarize, the security risk assessment must be performed to (1) determine how your organization receives, stores, and transmits ePHI; (2) identify the risks and vulnerabilities to ePHI that are present in your information systems; and (3) address those risks and vulnerabilities.