Security Risk Assessment (SRA)

Overview

Per 45 CFR 164.308(a)(1)(ii)(A), each Medicaid Electronic Health Record Incentive Program (EHR) Eligible Professional (EP) must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the electronic protected health information held by that EP. This webpage provides guidance for NY Medicaid EHR Incentive Program EPs conducting a risk assessment, using the Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment (SRA) Tool.

Note: An EP may opt to use alternative SRA tools and services. It is the EP´s responsibility to ensure that the SRA conducted is compliant.

In collaboration with the Health and Human Services (HHS) Office for Civil Rights (OCR) and the HHS Office of the General Counsel (OGC), ONC developed the SRA tool to help assist providers and professionals as they perform a risk assessment. The tool is available as a set of downloadable Microsoft Word documents, and an optional software application is available online, at no cost. The Word documents and the software application provide similar capabilities.

The documents, SRA application, and additional guidance are available here.

ONC SRA Tool Instructions

The SRA Tool walks through each Health Insurance Portability and Accountability Act (HIPAA) requirement by presenting a question about an organization´s activities. A "yes" or "no" answer will show if corrective actions are needed for that particular item. The Tool is divided into three documents:

  1. Administrative Security Questions (73 questions)
  2. Technical Security Questions (45 questions)
  3. Physical Security Questions (38 questions)

There is a total of 156 questions.

Important

  • The SRA must be conducted within the same calendar year of the EHR reporting period and prior to the date of attestation.
  • Effective payment year 2017, an EP must indicate the SRA completion date in MEIPASS.

Additional Resources