Health care providers received a gift from the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC) last week. On March 28, 2014, ONC, the HHS agency driving federal efforts on health information technology, released a new Security Risk Assessment (SRA) Tool to assist health care providers with completion of the risk assessment required under the HIPAA Security Rule. Although HHS indicated that the SRA Tool is designed to assist small-to medium-sized providers, the SRA Tool also contains guidance that assists larger providers and business associates with completion of the required assessment.


The SRA Tool consists of three parts: technical safeguards, physical safeguards, and administrative safeguards. In each part, the SRA Tool takes the provider through each standard and implementation specification as outlined in the Security Rule by asking a series of questions. The SRA Tool also provides helpful information for providers to consider in answering the questions as well as examples of possible threats, vulnerabilities, and safeguards. The SRA Tool allows space for a detailed description of the provider’s current activities and remediation plan to address any identified threats or vulnerabilities. The SRA Tool is available in Windows and iOS iPad formats. Providers can download the Windows version at risk-assessment. The iOS iPad version is available via the Apple App Store at https://itunes.

The ONC has posted a Tutorial Video and User Guide to assist providers with navigating the SRA Tool. Upon completion of the SRA Tool, a report can be generated and downloaded for purposes of documenting  the  provider’s  Security  Rule  compliance.  This  documentation  will be important for responding to upcoming audits and addressing Office for Civil Rights (OCR) complaint  investigations.


HHS released the new SRA Tool on the heels of OCR’s February announcement that HIPAA audits will resume later this year. OCR’s first step involves a survey of 1,200 entities-800 covered entities and 400 business associates-to obtain information about the entities, enabling OCR to assess the size, complexity, and fitness of a covered entity or business associate for an audit. OCR will be seeking information related to the number of patient visits for health care providers; number of insureds for group health plans; use of electronic information; revenue; and geographic location. OCR has indicated that not all entities that are surveyed will be audited.

OCR also stated that the audit protocols utilized in the pilot program will be modified to be narrower in scope, which will enable OCR to include more entities in the audits. Providers should expect compliance with the Security Rule risk assessment requirement to be a primary focus of the upcoming audits. The pilot program audits uncovered widespread failure of covered entities related to completion of a risk assessment. Two-thirds of the covered entities (providers, group health plans, and health care clearinghouses) failed to produce a complete and accurate risk assessment. Of that number, nearly eighty percent of providers did not satisfy the risk assessment requirement. Providers should seize this opportunity to complete a risk assessment before they receive an audit notification letter.


Completion of a security risk assessment is also a requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program (Meaningful Use Program). CMS and its contractor, Figliozzi and Company, are actively auditing providers to detect inaccuracies in eligibility, reporting, and payment. Providers should make sure they have completed a risk assessment for the applicable year before they submit an attestation for Meaningful Use.