Security Risk Assessment Tool Released to Aid in HIPAA Compliance

The U.S. Department of Health and Human Services (HHS) has released a Security Risk Assessment (SRA) Tool to aid small and medium sized providers in their compliance with the HIPAA Security Rule. The Tool was developed in collaboration with the National Coordinator for Health information Technology (ONC) and the Office for Civil Rights (OCR). The tool generates a report that may be used to identify and correct deficiencies in the provider’s information management practices. The report can then document compliance to OCR HIPAA auditors.

The HIPAA Security Rule requires providers to conduct a security risk assessment. Use of the new tool is not required by the HIPAA Security Rule, but its use is encouraged to aid in performing a thorough and complete risk assessment. Further, performance of a security risk assessment is a core requirement of the Medicare and Medicaid EHR Incentive Programs.

The SRA Tool is an independent application that can be run on Windows computers. The SRA Tool is also available as an application on the iPad, which can be downloaded for free from Apple’s App Store. A paper-based version of the tool is also provided.

The SRA Tool guides providers through each HIPAA requirement by asking yes or no questions about the procedures and activities of the provider’s practice. Based upon the provider’s answers, the SRA Tool will direct the provider to take corrective action if needed. Each question is accompanied by helpful explanations and resources.

Answers, comments, and any remediation plans developed by the provider may be saved directly into the tool. This saved information is not transmitted to HHS and is for the personal use of the provider.

The SRA Tool contains 156 questions, and a provider using the Tool should plan to invest a significant amount of time into completing the security risk assessment. The provider may pause the program to view current results at any time during the process, which are available in color-coded graphic view as well as in printable PDF and Excel formats.

The application or paper version of the tool may be downloaded at SRA Tool User Guide is also available at

Please note that use of the SRA Tool does not guarantee compliance with the HIPAA provisions or other local, state, or federal laws. The Tool is designed to provide information to providers, and providers may be required to take further action to achieve compliance with the Security Rule and other laws. Should you have any questions about use of the SRA Tool or other questions about compliance with recent HIPPA changes, please contact Peter Mellette ( or Harrison Gibbs (, or call Mellette PC at (757) 259-9200.

This Client Advisory is for general educational purposes only. It is not intended to provide legal advice specific to any situation you may have. Individuals desiring legal advice should consult legal counsel for up to date and fact specific advice.
Categories: Client Advisory