What is the Security Risk Assessment Tool (SRA Tool)?
The Office of the National Coordinator for Health Information Technology (ONC) recognizes that conducting a risk assessment can be a challenging task. That’s why ONC, in collaboration with the HHS Office for Civil Rights (OCR) and the HHS Office of the General Counsel (OGC), developed a downloadable SRA Tool [.exe - 66 MB] to help guide you through the process. This tool is not required by the HIPAA Security Rule, but is meant to assist providers and professionals as they perform a risk assessment.
The SRA Tool is a self-contained, operating system (OS) independent application that can be run on various environments including Windows OS’s for desktop and laptop computers and Apple’s iOS for iPad only. The iOS SRA Tool application for iPad, available at no cost, can be downloaded from Apple’s App Store...
Completing a risk assessment requires a time investment. At any time during the risk assessment process, you can pause to view your current results. The results are available in a color-coded graphic view (Windows version only) or in printable PDF and Excel formats.OK, let me save you a bit of trouble with respect to the 3 paper-based versions.
For details on how to use the tool, download the SRA Tool User Guide [PDF - 4 MB].
A paper-based version of the tool is also available:
- Administrative Safeguards [DOCX - 269 KB]
- Technical Safeguards [DOCX - 240 KB]
- Physical Safeguards [DOCX - 225 KB]
posted it here for your convenience.
"Completing a risk assessment requires a time investment." Indeed it does. Do a little back-of-the-bar-napkin math. 436 pages? Round down to 430 to exclude the redundant title pages, etc. Assume one minute per page just initially reviewing the entire document. Roughly one full FTE work day. Don't take my word for it; download it and go through it.
Assume then, say (charitably), 30 minutes per page on average adequately addressing and responding to all aspects of the SRA. ~One month of FTE -- by someone with the requisite 45 CFR 164.308, 310, 312 et seq chops.
No matter how you slice it -- doing it all in-house, or bringing in a credible consultant (keyword "credible") -- you're looking at spending ten grand or so, minimally, first time around.
But, were you to get audited and found to be noncompliant, you'll be doing it anyway, under an onerous CAP (Corrective Action Plan), and a good bit lighter in the bank account after the punitive HHS/OCR monetary settlement.
Below, one of my 2011 REC SmartDraw graphics:
See also my December 18th, 2001 REC Blog post regarding the also free downloadable NIST Security Rule Toolkit.
More to come...