Skip to main content

Security Risk Analysis


Because of the earlier attestation window for PY2021, the requirement to complete a Security Risk Assessment (SRA) has been modified. Previously, a provider was required to attest to an SRA being completed during the PY for which they are attesting; the SRA had to already be completed prior to attestation and provide documentation of the SRA with the application.

When providers attest for PY2021, they will be asked if the measure (completing an SRA) has been completed prior to the date of attestation. If the response is "no", then they will be asked to attest that the SRA will be completed no later than December 31, 2021 and that they understand that their incentive payment will be subject to recoupment for failure to do so.

All attesting providers must upload a copy of their 2021 SRA to MAPIR by January 31, 2022, otherwise they will automatically be selected for audit.

SRA Guidelines

Conducting or reviewing a security risk analysis (SRA) to meet the standards of Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule is included in the meaningful use requirements of the Medicaid PIP/EHR Incentive Program every year.

The Security Risk Analysis must be conducted or reviewed for each Program Year an Eligible Provider applies for a PIP/EHR Incentive Program payment. It is acceptable for the SRA to be conducted or reviewed outside the 90-Day PIP/EHR reporting period; however, the SRA or review:

  • Must be unique for each PIP/EHR reporting period;
  • The scope must include the full PIP/EHR reporting period, and;
  • Must be conducted within the calendar year of the PIP/EHR reporting period: January 1st – December 31st.

SRA references, definitions, Myths and Facts, and more information are contained in the CMS SRA Tip Sheet.

Asset Inventory 

The SRA identifies where all electronic protected health information (e-PHI) is stored, received, maintained or transmitted. The asset inventory is used to determine the scope of the security risk analysis. It should include:

  • Computer hardware and software;
  • Laptops, tablets, and smart phones;
  • Flash drives, thumb drives, external hard drives, and magnetic media;
  • Printers, copiers, fax machines.

The SRA Tool

The Security Rule requires providers to put into place reasonable and appropriate administrative, physical and technical safeguards to protect patients’ ePHI.

The HHS Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) updated the popular Security Risk Assessment Tool in September 2020 to make it easier to use and apply more broadly to the risks to health information. The tool is designed for use by small to medium sized health care practices – those with one to 10 health care providers – covered entities, and business associates to help them identify risks and vulnerabilities to ePHI. The updated tool provides enhanced functionality to document how such organizations can implement or plan to implement appropriate security measures to protect ePHI. Here is a link to the updated tool:   (version 3.2)

A paper-based version of the 2.0 version of the ONC/OCR Security Risk Assessment Tool can be utilized to generate the Security Risk Analysis document. The links below are to Word documents that can be downloaded and printed:

Administrative Safeguards (.docx, 290 KB)

Physical Safeguards (.docx, 240 KB)

Technical Safeguards (.docx, 255 KB)

Tips on How to Address the SRA Toolkit Questions (.docx, 13 KB)

Disclaimer: The Security Risk Assessment Tool at is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.

The CMS Security Risk Analysis Tip Sheet

SRA references, definitions, Myths and Facts, and more information are contained in the CMS SRA Tip Sheet:

For questions, contact the Vermont PIP/EHRIP Team at

Back to the Vermont Medicaid PIP/EHRIP Home Page

(Page last updated 02/22/2021)