Post Date: September 29, 2016         Topics: HIPAA


The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the HHS Office of the National Coordinator (ONC) recently updated their Security Risk Assessment (SRA) Tool for small to mid-sized health care organizations. The Tool includes 156 questions designed to help organizations conduct and document that they have performed a security risk assessment.

HIPAA Security Rule requires covered entities to regularly review the administrative, physical and technical safeguards that they have in place to protect the security of electronic protected health information (e-PHI). After evaluating the risks and vulnerabilities in their environments, covered entities must implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Covered entities must continue to review, correct/modify and update security protections.

The SRA Tool produces a report that can be used to track compliance efforts and provided to auditors. Information entered into the SRA Tool is not reported to OCR or ONC as the Tool simply serves as a repository for the organization’s information.

For more information from OCR on risk assessments, click here.