HIPAA Security Risk Assessment, SRA ToolThe Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) and the Office of the National Coordinator for Health Information Technology (ONC) are heavily focused on helping professionals get themselves back up to compliance with HIPAA requirements as the nation reorganizes with COVID-19. To ensure full compliance with all three HIPAA laws (security, privacy, and transmission), HIPAA has begun to require all covered entities to conduct a HIPAA security risk assessment and update it regularly. Updates must be performed routinely, such as every six months or yearly, and in response to new business processes, such as buying new equipment, changes in operations, and response to threats.

HIPAA Security Risk Assessment Considerations

The following are the top three takeaways from a recent HIPAA Security assessment webinar sponsored by the OCR, HHS, and ONC:

1. HIPAA Risk Assessment

Conducting a thorough, comprehensive HIPAA risk assessment of an organization is crucial for HIPAA compliance. A detailed analysis of systems and processes is a required administrative safeguard under the HIPAA Security Rule. Failure to conduct a comprehensive security risk analysis often leads to HIPAA sanctions. TBHI’s previous articles for more information about conducting HIPAA risk assessments may be of interest:

To simplify this difficult process, OCR and ONC have developed the SRA Tool, available for free. It can be conducted online to complete the risk assessment and report risk assessment and mitigation strategies. Both individuals and organizations should expect to spend a considerable amount of time performing a HIPAA security risk assessment, whether they use SRA Tool or not. As can be expected, the quality of the assessment is directly proportional to the time and effort put into the assessment.

2. Potential Risks in HIPAA Security Risk Assessment

A covered entity can expect to be required to evaluate its entire security landscape when performing the HIPAA security risk assessment. It is insufficient to assess only one security aspect, such as threats to an electronic health record (EHR). Instead, when conducting the assessment, entities must consider potential risks and vulnerabilities to electronically transmitted protected health information (PHI) for email, mobile devices, and cloud-based applications.

3. SRA Tool Improvements

Recent SRA Tool improvements include the following:

  • The SRA Tool now has an interactive spreadsheet version. Covered entities unable to run the software tool or prefer to work in a spreadsheet format can use the spreadsheet.
  • Criteria from the Health Industry Cybersecurity Practices (HICP) Technical Volume 1 has been incorporated into the Tool to provide users with context on cybersecurity best practices.
  • File association features allow users to open files created with the SRA Tool with greater ease.
  • Short instructional videos have been added to help users navigate the Tool.

The SRA Tool is still incompatible with macOS. Future updates will not include support for this operating system. However, macOS users are now able to use the downloadable, interactive spreadsheet version.

Your Opinion Matters

The SRA Tool users can provide feedback using this Survey. Those who have previously used the Tool can express their experiences and thoughts about the SRA Tool and its user interface.

Cyber Security

Would TBHI Telehealth Training Help You?


Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.