Security Risk Assessments: In Your Best Interest


As we enter the third quarter of the year, it is a great time to make sure you have completed your annual Security Risk Assessment (SRA). The SRA is mandated by the HIPAA security rule and requires that facilities perform an SRA at least once a year. The goal of the SRA is to help you identify how protect your practice through risk identification and remediation.

As CMS states, there is no single method or “best practice” that guarantees compliance, but most risk analysis and risk management processes have steps in common. Here are some considerations from CMS as you conduct your risk analysis:

  • Define the scope of the risk analysis and collect data regarding the ePHI pertinent to the defined scope.
  • Identify potential threats and vulnerabilities to patient privacy and to the security of your practice’s ePHI.
  • Assess the effectiveness of implemented security measures in protecting against the identified threats and vulnerabilities.
  • Determine the likelihood a particular threat will occur and the impact such an occurrence would have to the confidentiality, integrity and availability of ePHI.
  • Determine and assign risk levels based on the likelihood and impact of a threat occurrence.
  • Prioritize the remediation or mitigation of identified risks based on the severity of their impact on your patients and practice.
  • Document your risk analysis including information from the steps above as well as the risk analysis results.
  • Review and update your risk analysis on a periodic basis.

How to Comply

On your own this can seem like a lot of steps but it’s important that you do perform a security risk assessment annually so don’t let the size of the task discourage you. There are tools out there to help support you in completing your SRA:

  • The ONC SRA Tool: This tool is available for free at and was designed by the ONC in collaboration with HHS.
  • Vendor Tools: Often vendors who deal with PHI like shredding companies or biohazard companies will offer a tool along with or as an add-on your existing services. Check with your existing vendors.
    • Stericycle offers a tool for the SRA that is often included with health policy and HIPAA training modules
    • Shred-IT offers to assist in the performance of SRAs to support facilities in completion
    • Other Vendors may offer services as well, assess as many as you can before selecting

Performing the SRA and developing a remediation plan will help you identify areas of weakness and risk. Once identified you can create a process to mitigate that risk and strengthen your security. Some cyber breach insurance underwriters will even provide a discount to clients who can show that they regularly perform and remediate annual SRAs. The last part is important, if you perform three SRAs in three years but they are all identical because you haven’t remediated anything then you are missing the intent of the rule.

The Biggest Risk

The primary risk as it relates to SRAs is either not doing it or actually doing it and not remediating it. If you identify a risk but don’t attempt to mitigate it, it could then turn into a breach that could have been avoided.  These scenarios often don’t play out well for facilities. Get ahead of the issue by scheduling annual SRAs and remediation into your annual roadmap.

Look at all the tools available to you, find the one that best fits your needs, budget, and key program goals. The ONC and HHS have a vast amount of resources to provide education and support in your efforts, utilize these resources to the fullest. Consider implementing an internal SRA team and breaking the overall tasks into smaller sections based on skillset and experience. You have options for completion and remediation, now is a great time to ensure your 2017 SRA is completed and to plan for 2018!


Related Posts