Security Risk Assessment Tool Eases Providers’ HIPAA Compliance

On March 28, 2014, the Office of the National Coordinator for Health Information Technology (ONCHIT) released a security risk assessment (SRA) tool designed to help providers in small to medium sized organizations assess their risk of noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191).

Available at, the tool enables these providers to comply with the requirements of the HIPAA Security Rule.


According to HHS, the SRA is a key requirement of compliance with HIPAA and of demonstrating “meaningful use” of electronic health records (EHR) for purposes of qualifying for payments under the EHR Incentive Program. The SRA involves assessment of the physical, administrative, and technical security of patients’ protected health information. Use of the assessment informs providers of the weaknesses and vulnerabilities of their systems so that they can resolve problems before a breach occurs.

On the website, potential users will find a video tutorial, a user guide, and links to other helpful information. The tool is available both for Windows and the iPad operating systems. In addition to talking the user through the assessment, the tool prepares a report which may be submitted to auditors.

Collaborative Effort

The tool is the product of collaboration between ONCHIT and the Office for Civil Rights (OCR), which is charged with the enforcement of HIPAA. Public comments on the tool can be submitted through June 2, 2014.