Conducting or reviewing a security risk analysis (SRA) to meet the standards of Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule is included in the meaningful use requirements of the Medicaid EHR Incentive Programs.
The Security Risk Analysis must be conducted or reviewed for each Program Year an Eligible Provider applies for an EHR Incentive Program payment. It is acceptable for the security risk analysis to be conducted or reviewed outside the 90-Day EHR reporting period; however, the SRA or review:
- Must be unique for each EHR reporting period;
- The scope must include the full EHR reporting period, and;
- Must be conducted within the calendar year of the EHR reporting period: January 1st – December 31st.
The SRA identifies where all electronic protected health information (e-PHI) is stored, received, maintained or transmitted. The asset inventory is used to determine the scope of the security risk analysis. It should include:
- Computer hardware and software;
- Laptops, tablets, and smart phones;
- Flash drives, thumb drives, external hard drives, and magnetic media;
- Printers, copiers, fax machines.
The SRA Tool
The Security Rule requires providers to put into place reasonable and appropriate administrative, physical and technical safeguards to protect patients’ ePHI.
The HealthIT.gov website has a Security Risk Assessment Tool that can help providers perform an SRA:
A paper-based version of the tool is available as three separate documents that can be downloaded and printed:
Administrative Safeguards (.docx, 290 KB)
Physical Safeguards (.docx, 240 KB)
Technical Safeguards (.docx, 255 KB)
Tips on How to Address the SRA Toolkit Questions (.docx, 13 KB)
Disclaimer: The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.
The CMS Security Risk Analysis Tip Sheet
SRA references, definitions, Myths and Facts, and more information are contained in the CMS SRA Tip Sheet:
For questions, contact the Vermont EHRIP Team at ahs.dvhaEHRIP@vermont.gov
(Page last updated 01/18/2018)