In October of 2019, the Department of Health and Human Services Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) released version 3.1 of the Security Risk Assessment Tool (SRA).
What does HIPAA's SRA tool do?
This downloadable tool acts as a preliminary risk assessment guide for small to medium healthcare providers. The HIPAA Security Rule mandates that providers conduct periodic risk assessments of their assets. While using the SRA Tool does not automatically make users HIPAA compliant nor 100 percent secure, it does assist them in identifying problematic aspects in their infrastructure, protocols and processes.
The tool is an independent application that stores the data locally only. It asks the user a number of simple questions related to existing HIPAA requirements. The user's answer to each question should help them determine if they must take action on the issue in question or not. Moreover, the tool allows providers to document additional comments and measures that will be taken to address any deficiencies.
How are HIPAA's SRA questions developed?
The SRA Tool questions are gathered from a number of resources, the first and most important of which is the HIPAA Security Rule itself. Furthermore, questions are also based on a number of National Institute of Standards and Technology (NIST) publications and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Why should you use the SRA tool?
The SRA Tool is a great asset to have in your toolkit. Aside from it being an affordable starting point for small and medium providers, it is a user friendly way to identify potential vulnerabilities and threats to ePHI. Results of risk assessments are color coded and easy to understand. Moreover, it allows providers to assess all software and hardware involved with sensitive health records, including vendors and business associates. The SRA Tool can be used to conduct routine checks per the provider's needs.
3 useful features of the SRA tool for HIPAA compliance
Glossary
The tool takes into consideration that some terms may be unclear or require further information for the user to understand. Accordingly, in the event that users are unsure of what a word means, if it is underlined and in blue, they may click on it for clarification.
Sectioning
The SRA Tool asks users a series of questions relating to their implementation of standards mandated by HIPAA. It divides the questions into seven sections including:
- SRA Basics
- Security Policies, Procedures, & Documentation
- Security & Your Workforce
- Security & Your Data
- Security & Your Practice
- Security & Your Vendors
- Contingency Planning
After each section, the Tool prompts the user to select potential vulnerabilities and rate threats in terms of potential impact. This pool of data is then used to determine the provider or BA's risk level with regard to that specific section.
Risk Report
At the end of the risk assessment, the Tool reveals a report that highlights any risk indications. The report includes a risk breakdown in the form of a color coded pie chart, a risk assessment rating key and areas that must be reviewed.