Last Updated: Oct 2, 2019
Why should a health care organization conduct security risk assessments (SRAs)?
- Security risk assessments help health care organizations prevent data breaches and protect patients’ health information.
- These assessments are necessary for HIPAA Security Rule compliance.
- For clinicians participating in the Medicare program’s Merit-based Incentive Payment System (MIPS), the completion of a security risk analysis is required for the Promoting Interoperability performance category.
There is a free online SRA Tool you can use to conduct SRAs. The SRA Tool is designed for small to medium size practices, although a practice of any size can utilize the tool. It offers features like a progress tracker, threats and vulnerabilities rating, detailed reports, and business associate and asset tracking.
The latest version of the SRA Tool was released by the HHS Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) in October 2018. This version promises a more user-friendly platform with improvements to the user interface, tracking and workflow.
Get the SRA Tool
System Requirements: The SRA Tool is available for Windows computers and laptops. There is also a previous iPad version of the tool available through Apple’s App Store (search under “HHS SRA Tool.”). The SRA Tool is not available for MAC OS.
A Security Risk Assessment Tool User Guide is available at HealthIT.gov here.
You can find the Pennsylvania Medical Society’s (PAMED) HIPAA resources – including our HIPAA Security Toolkit and Notice of Privacy Practices example – online at www.pamedsoc.org/HIPAA. PAMED members with questions can also contact our Knowledge Center at 855-PAMED4U (855-726-3348) or KnowledgeCenter@pamedsoc.org.