The Department of Health and Human Services (HHS) developed an interactive Security Risk Assessment Tool (SRA Tool) to help covered entities perform and document HIPAA security risk assessments. Although the SRA Tool was designed for health care providers, it is a helpful resource for all covered entities, including health plans and business associates. This Compliance Overview provides an summary of the SRA Tool and includes links to the tool and additional resources.
1. This Compliance Overview is not intended to be exhaustive nor should any discussion or
opinions be construed as legal advice. Readers should contact legal counsel for legal advice.
RISK ASSESSMENT
Covered entities and business
associates must analyze the
potential risks and vulnerabilities of
their ePHI.
Based on this analysis, covered
entities and business associates
must implement reasonable and
appropriate safeguards.
Risk assessment is an ongoing
process.
SRA TOOL
The SRA Tool can help guide a
covered entity through the risk
assessment process.
It can be downloaded and run on
various environments, including
Windows’ and Apple’s operating
systems.
The tool merely collects data; it
does not send data anywhere else.
HIPAA Security Risk Assessment Tool
The Department of Health and Human Services (HHS), through its Office
of the National Coordinator for Health Information Technology (ONC),
has developed an interactive Security Risk Assessment Tool (SRA Tool)
to assist covered entities in performing and documenting Health
Insurance Portability and Accountability Act (HIPAA) security risk
assessments.
Although HHS designed the SRA Tool for health care providers in small- to
medium-sized offices, it is a helpful resource for all covered entities and
business associates to review their implementation of the HIPAA Security
Rule.
Conducting a risk assessment is a crucial first step in an organization’s
efforts to comply with the Security Rule. It directs what reasonable steps
a covered entity or business associate should take to protect the ePHI it
creates, transmits, receives or maintains. Risk assessment is also an
ongoing process. Covered entities and business associates should
periodically revisit their risk assessments and make appropriate updates
to their ePHI safeguards.
LINKS AND RESOURCES
Download the SRA Tool here
SRA Tool User Guide
SRA User Videos
Provided by Encompass HR Solutions