Security Risk Assessments – What you need to know.

April 10th, 2015


Earlier this year, the Medical Association of Georgia (MAG) released an alert on their website and email campaign urging practices to confirm they are meeting all of the ‘meaningful use’ requirements in full. The Centers for Medicare and Medicaid Services (CMS) plans to conduct 38,000 retroactive and pre-payment audits in 2015, and it is stressing that it will recoup the incentives from practices that did not meet the requirements in full.

CMS auditors have reportedly stated that “…being found deficient on any one measure will cause a provider to be out of compliance. In this case, CMS will recoup the provider’s entire stimulus for the reporting period in question.” CMS has up to six years to conduct an audit for a given year.

Bill Steuer with GSG Compliance, LLC says, “Many practices attesting for Meaningful Use, will satisfy each of the requirements for that particular stage, except to actually complete the required Security Risk Assessment.  What they do not understand is that if they get audited, CMS can and will take back 100% of the stimulus funds they received for not fully completing the attestation requirements.”

He states, “additionally, practices who do not attest for Meaningful Use, have the misconception that they do not have to complete a Security Risk Assessment. The reality is that the HIPAA Security Rule was enacted in 2003, well before the Meaningful Use program, and it requires practices mitigate their security risks by periodically performing a Security Risk Assessment.

Medicus Solutions specializes in healthcare informatics and we are here to help. We have started to see these audits in practices which we support. Completing the security risk assessment is the responsibility of the practice due to the areas which is involves. We strongly urge each and every practice to review all of their documentation and specifically your security risk assessments. You should have a completed security risk assessment for each year / reporting period and it must be updated with risks and risk remediation plans.

We have received a number of requests from clients over the past couple months for Medicus to complete the practice’s security risk assessment. A security risk assessment is compiled of at least three (3) areas which include administrative safeguards, technical safeguards, and physical safeguards. Completing a risk assessment requires a time investment and Medicus is here to help its clients with the technical portion of the risk assessments included in our support. Practices will need to complete the administrative and physical safeguard sections.

The Office of the National Coordinator for Health Information Technology (ONC) has worked with the Health and Human Services (HHS) Office for Civil Rights (OCR) and the Health and Human Services (HHS) Office of the General Counsel (OGC) to develop a tool to help practices complete a security risk assessment.

We have provided access to the tool the ONC has released on our website for your convenience. This includes paper-based versions of the tool, iPad version of the tool, a desktop computer version of the tool, and the user’s guide for the tool. There are a total of 156 questions. Resources are included with each question to help you:

    • Understand the context of the question
    • Consider the potential impacts to your PHI if the requirement is not met
    • See the actual safeguard language of the HIPAA Security Rule

Paper Based Version of the Tool

Download Administrative Safeguards [DOCX – 269 KB]

Download Technical Safeguards [DOCX – 240 KB]

Download Physical Safeguards [DOCX – 225 KB]

Computer / Desktop Version of the Tool

Download SRA Tool Here – Computer Version (EXE – 66 MB)

IPad Version of the Tool

Download SRA Tool Here – IPad Version

SRA Tool Users Guide

Download SRA Tool Users Guide Here

For updates, below is the link to site:

MAG Alert:


The Security Risk Assessment Tool at is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.

NOTE: The NIST Standards provided in this tool are for informational purposes only as they may reflect current best practices in information technology and are not required for compliance with the HIPAA Security Rule’s requirements for risk assessment and risk management. This tool is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool.