Security Risk Assessments — What You Need To Know

Categories: Articles


Earlier this year, the Medical Association of Georgia (MAG) released an alert on their website and email campaign urging practices to confirm they are meeting all of the ‘meaningful use’ requirements in full. The Centers for Medicare and Medicaid Services (CMS) plans to conduct 38,000 retroactive and pre-payment audits in 2015, and it is stressing that it will recoup the incentives from practices that did not meet the requirements in full.

CMS auditors have reportedly stated that “…being found deficient on any one measure will cause a provider to be out of compliance. In this case, CMS will recoup the provider’s entire stimulus for the reporting period in question.” CMS has up to six years to conduct an audit for a given year.

Debra Steen with ACR 2 Solutions, Inc. says that, “In early 2013, nearly 80 percent of phase one audited practices failed their risk assessments. One failed attester in Texas is facing up to five years in federal prison for false attestation and Medicare fraud. Many other attesters have been required to return millions in subsidy funds.”

She adds that, “The number one problem for meaningful use qualification is the lack of a 45 CFR 164.308 compliant risk assessment…despite the requirements of both HIPAA and meaningful use.”

Medicus Solutions specializes in healthcare informatics and we are here to help. We have started to see these audits in practices which we support. Completing the security risk assessment is the responsibility of the practice due to the areas which it involvesWe strongly urge each and every practice to review all of their documentation and specifically your security risk assessments. You should have a completed security risk assessment for each year / reporting period and it must be updated with risks and risk remediation plans.

We have received a number of requests from clients over the past couple months for Medicus to complete the practice’s security risk assessment. A security risk assessment is compiled of at least three (3) areas which include administrative safeguards, technical safeguards, and physical safeguards. Completing a risk assessment requires a time investment and Medicus is here to help its clients with the technical portion of the risk assessments included in our support. Practices will need to complete the administrative and physical safeguard sections.

The Office of the National Coordinator for Health Information Technology (ONC) has worked with the Health and Human Services (HHS) Office for Civil Rights (OCR) and the Health and Human Services (HHS) Office of the General Counsel (OGC) to develop a tool to help practices complete a security risk assessment.

We have provided access to the tool the ONC has released on our website for your convenience. This includes paper-based versions of the tool, iPad version of the tool, a desktop computer version of the tool, and the user’s guide for the tool. There are a total of 156 questions. Resources are included with each question to help you:

  • Understand the context of the question
  • Consider the potential impacts to your PHI if the requirement is not met
  • See the actual safeguard language of the HIPAA Security Rule

Paper Based Version of the Tool

Download Administrative Safeguards [DOCX – 269 KB]

Download Technical Safeguards [DOCX – 240 KB]

Download Physical Safeguards [DOCX – 225 KB]

Computer / Desktop Version of the Tool

Download SRA Tool Here – Computer Version (EXE – 66 MB)

IPad Version of the Tool

Download SRA Tool Here – IPad Version

SRA Tool Users Guide

Download SRA Tool Users Guide Here

For updates, below is the link to site:

MAG Alert:


The Security Risk Assessment Tool at is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.

NOTE: The NIST Standards provided in this tool are for informational purposes only as they may reflect current best practices in information technology and are not required for compliance with the HIPAA Security Rule’s requirements for risk assessment and risk management. This tool is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool.

Leave a Reply

Your email address will not be published. Required fields are marked *

© Copyright - Healthcare Services