HIPAA Security Risk Assessment, sra tool

Have You Updated Your HIPAA Security Risk Assessment?


Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) and the Office of the National Coordinator for Health Information Technology (ONC) are heavily focused on helping professionals get themselves back up to compliance with HIPAA requirements as the nation reorganizes with COVID-19. To ensure full compliance with all three HIPAA laws (security, privacy, and transmission), HIPAA has begun to require all covered entities to conduct a HIPAA security risk assessment and update it regularly. Updates must be performed routinely, such as every six months or yearly, and in response to new business processes, such as buying new equipment, changes in operations, and response to threats.

HIPAA Security Risk Assessment Considerations

The following are the top three takeaways from a recent HIPAA Security assessment webinar sponsored by the OCR, HHS, and ONC:

1. HIPAA Risk Assessment

Conducting a thorough, comprehensive HIPAA risk assessment of an organization is crucial for HIPAA compliance. A detailed analysis of systems and processes is a required administrative safeguard under the HIPAA Security Rule. Failure to conduct a comprehensive security risk analysis often leads to HIPAA sanctions.

To simplify this difficult process, OCR and ONC have developed the SRA Tool, available for free. It can be conducted online to complete the risk assessment and report risk assessment and mitigation strategies. Both individuals and organizations should expect to spend a considerable amount of time performing a HIPAA security risk assessment, whether they use SRA Tool or not. As can be expected, the quality of the assessment is directly proportional to the time and effort put into the assessment.

2. Potential Risks in HIPAA Security Risk Assessment

A covered entity can expect to be required to evaluate its entire security landscape when performing the HIPAA security risk assessment. It is insufficient to assess only one security aspect, such as threats to an electronic health record (EHR). Instead, when conducting the assessment, entities must consider potential risks and vulnerabilities to electronically transmitted protected health information (PHI) for email, mobile devices, and cloud-based applications.

3. SRA Tool Improvements

Recent SRA Tool improvements include the following:

  • The SRA Tool now has an interactive spreadsheet version. Covered entities unable to run the software tool or prefer to work in a spreadsheet format can use the spreadsheet.
  • Criteria from the Health Industry Cybersecurity Practices (HICP) Technical Volume 1 has been incorporated into the Tool to provide users with context on cybersecurity best practices.
  • File association features allow users to open files created with the SRA Tool with greater ease.
  • Short instructional videos have been added to help users navigate the Tool.

The SRA Tool is still incompatible with macOS. Future updates will not include support for this operating system. However, macOS users are now able to use the downloadable, interactive spreadsheet version.

Your Opinion Matters

The SRA Tool users can provide feedback using this Survey. Those who have previously used the Tool can express their experiences and thoughts about the SRA Tool and its user interface.

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

What are your thoughts about this article? Please comment below.

Notify of
Inline Feedbacks
View all comments