Using the ONC/OCR SRA Tool in Your HIPAA Risk Analysis

If you’ve ever tried to learn another language, you know that it’s incredibly difficult to just jump in—self-instruction can be difficult, disorganized, and overwhelming. It’s helpful, when setting off on this ambitious endeavor, to engage with a helpful tool that features a more structured approach with instruction on specific concepts. Let’s face it—if there’s something out there that can simplify complex ideas, it just makes sense to take advantage of it.

It's common knowledge that HIPAA compliance can be tricky. A common mistake many organizations make is jumping straight into implementing controls that seem relevant to the HIPAA Security Rule requirements without consideration of the unique risks they face. We know that’s a common challenge because over 90% of Office for Civil Rights (OCR) enforcement actions taken to date are regarding an insufficient risk analysis/risk management program. 

Luckily, there’s something out there that can help.

Like DuoLingo or Rosetta Stone can assist you in picking up Spanish or French, there’s a Security Risk Assessment (SRA) tool that can help guide organizations through the HIPAA risk analysis process.

In this article, we’ll discuss what makes this risk analysis/risk management so challenging and how the SRA tool can help with that.

You don’t need to be among that 90% that get slapped with HIPAA violations because of problems assessing risk—read on so you can benefit from an established advantage.


The Challenge with the HIPAA Security Rule

So why is there so much trouble around risk and the HIPAA Security Rule? For starters, it’s often incorrectly viewed as more of a compliance framework, which is not its intent. In fact, the HIPAA Security Rule starts with risk analysis at its core—everything else should flow from there.

HIPAA has been around since 1996, but the Security Rule has avoided constant updates because of its non-prescriptiveness—the requirements are high-level by design and allow organizations to determine what appropriate safeguards should be.

But these appropriate safeguards should be based on each organization’s risk analysis, but the challenge you have is knowing what’s acceptable—from a risk analysis perspective—to the OCR.

You can always reference the OCR’s HIPAA risk analysis guidance document, but again, that only gives you high-level considerations, and many medium- to large-sized businesses likely already have a risk analysis program that encompasses those items identified in that guidance. Even still, those organizations may not yet be compliant with the HIPAA Security Rule, and what about smaller companies that may not have any formal risk analysis process at all?


What is the HIPAA SRA Tool?

To help everyone out, the Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the OCR, developed the downloadable SRA Tool.

Designed to help covered entities and business associates conduct a risk analysis in a way that meets the HIPAA Security Rule requirement, the best thing about the SRA Tool is that it’s free!

So how can you make it work for you?

First, you’ll need to enter general contact information, asset inventory details, and a list of vendors—also known as the Practice Info section—and there are some mishaps you should avoid here.


Asset Inventory Challenges

You need to ensure that your risk analysis process considers all the assets where PHI/ePHI may reside in your environment—oftentimes, organizations will miss something, and trust us, the OCR does notice.

A detailed asset inventory will help demonstrate that consideration was put into documenting all the relevant assets to be considered in the risk analysis process. You might already be agonizing over how long you feel that might take to input, but don’t worry—there’s an asset template that allows you to upload a .csv file of your inventory, which will save you time and from entering every asset line item by line item in the tool.

Vendor Tracking Challenges

As part of that thoroughness in your asset inventory, you’ll also need to track your vendors within the tool and supply relevant details about those that have an impact on the environment where PHI/ePHI may reside.

When you do this, you’ll be asked about your business associate agreement (BAA) with these vendors, which could help you understand where you don’t have a BAA in place where you should—that’s another common OCR finding.

Having a central list of relevant vendors that you can reference will also help when it comes time for your annual vendor assessment process.

The ONC/OCR SRA Tool Assessment

When all that data entry is done, you’ll move to the assessment portion within the SRA tool, which is broken out into 7 sections that cover the HIPAA Security Rule requirements:

  1. SRA Basics
  2. Security Policies
  3. Security & Workforce
  4. Security & Data
  5. Security and the Practice
  6. Security and Business Associates
  7. Contingency Planning

When you complete these sections, you’ll address vulnerabilities, threats, likelihood, and impact, as well as general questions about your controls.

Vulnerability Identification

For each of the aforementioned sections, you’ll select from a list of predefined potential vulnerabilities that might apply within your environment. Not only might you learn about and consider vulnerabilities not thought of previously, but you’ll also be able to focus your risk considerations on the selected vulnerabilities.

Threats, Likelihood, and Impact Consideration

Once you’ve done that, the tool will present potential threats based on your vulnerability selections. 

You’ll assign the likelihood—low, medium, high—and impact—low, medium, high—for each potential threat listed. 

General Questions

The general questions for each section will be multiple-choice and cover the individual HIPAA Security Rule requirements in a way to gauge the level of coverage you currently have.

Based on how you answer, you’ll be provided:

  • “Areas of Success”
  • “Areas for Review:”Gives some good insight into alternative or additional options that would help improve your HIPAA compliance.

Using Your SRA Tool Results

With both the Practice Info section and the seven Assessment Sections completed, the tool features various forms of reporting that provide overall summaries and areas where you can make improvements—these reports are evidence of your risk analysis being completed, since you’ll have a formal document that details the results, and that will help with any OCR investigation.

Once this step is completed, you can then move on to identifying appropriate security measures that will reduce the risks identified in this risk analysis process as required in HIPAA requirement §164.308(a)(1)(ii)(B).

But remember, this risk analysis process should not be a one-time event—risks change over time as internal and/or external factors within your business change. You should have a process in place to perform a new risk analysis on some recurring basis (typically annually), but also if a major change occurs in your environment.

Not performing regular analysis is another common oversight—it’s not enough to just do it once, even if you do take advantage of the SRA Tool. You must stay apprised of new risks and the necessary additional or updated safeguards to remain compliant with HIPAA.

Do You Need HIPAA Express?

Of course, if you want to be even more sure that your risk management is up to snuff and better your chances against possible violations and fines, you may even want to invest in further help.

You may have previously undergone a full HIPAA attestation, but our HIPAA Express service is tailored to focus on the risk analysis/risk management challenges as a direct response to all the recent OCR enforcement actions against healthcare organizations.

The SRA Tool can help, as can our in-depth whitepaper on HIPAA risk program considerations, but our HIPAA Express service can further solidify your due diligence done in this area for the OCR while also aiding in your risk mitigation.

Moving Forward with HIPAA Compliance

We understand that another assessment may not be in the budget, but that’s why the SRA Tool represents a great free option even despite the more complex risk analysis tools and methodologies out there. Though statistics show that many covered entities and business associates do not perform a HIPAA risk analysis as required by §164.308(a)(1)(ii)(A) of the HIPAA Security Rule, the SRA Tool can help those organizations looking to simply identify and assess risk as required by the HIPAA Security Rule. 

If you are interested in learning more about HIPAA Express directly from our compliance experts, we encourage you to reach out to us today. Otherwise, please check out our other content that can help you solve other healthcare compliance challenges:

About the Author

Doug Kanney

Doug Kanney is a Principal at Schellman based in Columbus, Ohio. Doug leads the HITRUST and HIPAA service lines and assists with methodology and service delivery across the SOC, PCI-DSS, and ISO service lines. Doug has more than 17 years of combined audit experience in public accounting. Doug has provided professional services for multiple Global 1000, Fortune 500, and regional companies during the course of his career.

More Content by Doug Kanney
Previous Article
Schellman’s Associate Penetration Tester Position: What to Expect
Schellman’s Associate Penetration Tester Position: What to Expect

Want to be part of our Pen Test Team? We provide details on the expectations and responsibilities of an Ass...

Next Article
How to Transfer an ISO Certificate
How to Transfer an ISO Certificate

Not sure about transferring your ISO certificate? We detail the requirements for a transfer and several fac...


First Name
Error - something went wrong!