3 Helpful Resources for Your HIPAA Security Risk Assessment



Security Risk Assessments (SRA) have been a required (and sometimes dreaded) guideline since 2009. They’re enforced as a part of the HIPAA Security Rule and are required to be completed annually by all covered entities.

It can be difficult to find reliable information that explains exactly what’s required in the security risk assessment and what to do after your risk assessment is complete.

To help ease the burden of an annual assessment and to mitigate potential vulnerabilities, we’ve compiled three of our favorite risk assessment templates you can use as guidance. While most practices enlist the help of a specialized healthcare security partner to conduct their annual security risk assessment and in-year risk assessment updates, these templates are a good place to start as you prepare for your practice’s SRA.

    1. gov Security Risk Assessment (SRA) Tool
      This tool was developed by the Office of the National Coordinator (ONC) in collaboration with the HHS Office for Civil Rights (OCR) and the HHS Office of the General Counsel (OGC). The SRA Tool takes you through each HIPAA requirement by presenting a question about your organization’s activities. Your “yes” or “no” answer to each question will tell you if you need to take corrective action for that particular item. There are 156 questions.In addition, the resources provided list the safeguard language of the HIPAA Security Rule and will help you consider the impact to your practice if the safeguard is not met.This tool is powerful and full of information. They also offer additional resources like Top 10 Myths of Security Risk Analysis and Security Risk Analysis videos.
    2. NIST CyberSecurity Framework
      Cybersecurity hacks account for 34 percent of all healthcare data breaches, second only to breaches caused by human error (41 percent). So, addressing cybersecurity concerns uncovered during your security risk analysis only makes sense.The National Institute of Standards and Technology (NIST) issued a framework for improving critical infrastructure cybersecurity. The framework is designed for owners and operators of critical infrastructure, but it can be used by any industry as a means to improve your infrastructure and guard against cybersecurity attacks.
    3. HIMSS Risk Assessment Toolkit
      HIMSS is a long-standing leader in healthcare IT. The HIMSS Risk Assessment Toolkit will guide your healthcare organization through the security risk analysis and risk management process.In addition to helping you understand the risk assessment process, the HIMSS Toolkit offers a step-by-step Security Risk Assessment Guide and Data Collection Matrix for you to put your skills into practice.Further, the toolkit offers mitigation strategies to help your practice identify the next steps after the assessment.

    The overwhelming and daunting nature of required risk assessments can be alleviated by utilizing these tools for help, support and guidance. In addition, involve your third party partners (Business Associates) in your assessment, ensuring they’re also up to date on security guidelines and protocols.