The HIPAA Security Rule mandates that covered entities must conduct a security risk assessment or SRA.