Buyer Tips

Multi-Site Risk Analysis: One Engagement, or One Per Building?

If your organization operates more than one building, the most consequential line in a risk analysis proposal is the one specifying how many locations are in scope — and it is very often the vaguest line in the document. The regulatory position is not ambiguous: HHS guidance says a risk analysis must account for all ePHI an organization holds, "regardless of the source or location" of it. Every site holding ePHI is in scope. What varies enormously between vendors is whether covering those sites is included, priced per site, or quietly deferred to a consulting engagement quoted later. That is a commercial question wearing regulatory clothing, and it is worth undressing before you sign.

The short answer

The Security Rule does not require one risk analysis document per building. It requires one accurate and thorough assessment of risks to all ePHI held by the organization — and for a multi-site group, that is a single analysis whose scope reaches every site. Most organizations produce one organizational risk analysis with site-level findings inside it.

What is not defensible is an analysis whose scope stopped at the locations someone happened to visit, with the remaining sites represented by an assumption that they are "the same as the main office."

What HHS says about scope

The risk analysis requirement itself is one sentence, at 45 CFR 164.308(a)(1)(ii)(A), and it is labeled Required: conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization.

OCR's guidance on that requirement is where the multi-site question gets answered directly:

HHS, on the scope of the analysis: the scope "includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits." It continues: "Electronic media includes a single workstation as well as complex networks connected between multiple locations. Thus, an organization's risk analysis should take into account all of its e-PHI, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its e-PHI."

Three phrases are doing the work: all e-PHI, multiple locations, and regardless of location. There is no threshold, no materiality carve-out, and no provision that lets a small satellite office fall out of scope because it is small.

Why site two costs more than you expect

Buyers are frequently surprised by multi-site pricing because they reason from software, where the marginal cost of another location is roughly zero. That intuition is correct for technical safeguards and wrong for physical ones.

Assessing technical safeguards (45 CFR 164.312 — access control, audit controls, integrity, transmission security) across twelve clinics on one shared network is only marginally harder than assessing one. The systems are the same systems.

Assessing physical safeguards (45 CFR 164.310) does not scale that way, because 164.310 is about buildings. The standards include facility access controls covering "the facility or facilities in which they are housed"; access control and validation procedures "including visitor control"; a facility security plan protecting the facility and equipment from unauthorized physical access, tampering, and theft; maintenance records documenting repairs to physical components related to security, for which the rule gives its own examples — "hardware, walls, doors, and locks"; workstation use policies specifying "the physical attributes of the surroundings" of a workstation; and device and media controls governing hardware moving into and out of a facility, where disposal and media re-use are both labeled Required.

Every one of those is a fact about a specific room in a specific building. Clinic nine has its own doors, its own front desk sightlines, and its own closet with a decommissioned server in it. That is why the honest cost driver in multi-site work is presence, not licensing — and why vendors' answers diverge so widely.

Four scoping models you will be quoted

ModelHow it handles site 2–12Watch for
Single engagement, all sitesOne scope, one price, every location coveredConfirm the site count in the contract matches your real count, including satellites
Per-site pricingBase price plus a unit cost per additional locationGet the unit cost in writing; ask whether it changes above a threshold
Self-service, you cover the sitesSoftware scopes it; your staff walks each buildingPerfectly valid — if someone is actually assigned to do it and document it
Base plus consulting SOWAdditional sites become a separate statement of workThe SOW is usually not quoted during the sale. Ask for the rate before signing

None of these four is wrong. The fourth is the one that most often produces a number nobody budgeted for, because the assessment appears to be bought and the site coverage appears to be included, and the gap between those two impressions does not surface until scheduling.

What counts as a site

Ask, because the definition is where the count moves:

  • A part-time or satellite clinic open two days a week — still a facility housing electronic information systems.
  • A records storage unit holding decommissioned drives or backup media — device and media controls at 164.310(d) govern hardware moving into and out of a facility.
  • An administrative or billing office with no patients in it — ePHI does not have to sit near a patient to be in scope.
  • Remote and home-office staff. Not a facility you control, but the workstation standards at 164.310(b) and (c) still apply to workstations that access ePHI, and 164.308(a)(3)(ii)(A) addresses supervision of workforce members who work with ePHI "or in locations where it might be accessed."
  • A location you are about to open or close. HHS names change in ownership and new technology among the triggers for revisiting the analysis.

Questions that surface the scope early

  1. How many locations does this proposal cover? Say the number back against the number we operate.
  2. Does every site receive a physical walkthrough, and who performs it — you, or us?
  3. What is the unit cost of adding a thirteenth site?
  4. Do storage units, billing offices, and part-time satellites count as sites under your pricing?
  5. How are remote workers covered?
  6. Is the deliverable one organizational analysis, or one report per site?
  7. If we open a clinic in month four, what happens?

Question two is the one that separates the models. Ask it in those words.

One analysis or twelve reports?

A single organizational analysis with site-level detail is usually the more useful artifact, for a reason that has nothing to do with page count: risk is often created by the relationship between sites. A shared VPN, a chart-transport process between clinics, one badge system administered centrally, a backup that runs from headquarters over a link that clinic six shares with its guest wifi — none of those risks live at any single address. Twelve independent site reports can each conclude "acceptable" while the organization holds a risk that only appears when you look at the network as a whole.

Per-site reports are still valuable, and site managers will actually read them. The practical answer for most groups is one analysis, with a per-site annex. Ask which you are getting.

The takeaway

The regulation settles the part people argue about and leaves open the part they do not ask about. Scope is settled: all ePHI, every location, no threshold. Delivery is open: one engagement, per-site pricing, your own staff, or a consulting SOW — and any of those can be the right purchase for your organization.

So the question to put to a vendor is not "do you support multi-site?" Every vendor supports multi-site. The question is "what does site twelve cost, who walks it, and is that number in this proposal?" Get the answer in writing, against your real site count, before the signature rather than after.

Common questions

Does a HIPAA risk analysis need to cover every clinic location?

Yes. HHS guidance on the risk analysis requirement states that the scope includes potential risks and vulnerabilities to all ePHI an organization creates, receives, maintains, or transmits, and that electronic media includes a single workstation as well as complex networks connected between multiple locations. It adds that the analysis should take into account all ePHI regardless of the source or location of that ePHI. Every location holding ePHI is in scope. Whether that is delivered as one engagement or several is a commercial decision, not a regulatory one.

Can one risk analysis cover multiple sites, or do we need one per site?

The Security Rule does not require a separate risk analysis document per building. It requires an accurate and thorough assessment of risks to all ePHI held by the organization, which for a multi-site group means one analysis whose scope reaches every site. Many organizations produce a single organizational analysis with site-level findings inside it. What is not defensible is an analysis whose scope silently stops at the locations someone happened to visit.

Why do vendors price multi-site risk analysis so differently?

Because the cost driver is physical presence, not software. Assessing technical safeguards across twelve sites on one shared network is only marginally harder than assessing one. Assessing physical safeguards at 45 CFR 164.310 means someone has to be in each building looking at facility access, workstation surroundings, and media disposal. Vendors price that very differently depending on whether they send someone, ask you to send photographs, or leave it to your staff entirely.

What should a multi-site risk analysis proposal specify?

At minimum: the exact number of locations in scope by address or count, whether each site receives a physical walkthrough and by whom, the unit cost of adding a site, whether satellite or part-time locations count as sites, how remote and home-office workers are covered, and whether the deliverable is one organizational analysis or a set of per-site reports. Get the site count in writing against the count you actually operate.