Report Fraud

Security Risk Analysis Tool


Conducting a Security Risk Analysis (SRA) is a requirement of the SC Medicaid Promoting Interoperability Program.

The SRA requires at a minimum:

  • Assessment of current security, risks, and gaps.

  • Development of an implementation plan.

  • Implemented solutions. A covered entity must implement security measures and solutions that are reasonable and appropriate for the organization.

  • Documented decisions. A covered entity must document its analysis, decisions and the rationale for its decisions.

  • Periodic reassessment with documentation of updates.

What is a Security Risk Analysis?

Watch the Security Risk Analysis instructional videos to learn more about the assessment process and how it benefits your organization. Also, visit the Office for Civil Rights' official guidance.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization:

Security Risk Assessment Tool

The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the Health & Human Services (HHS) Office for Civil Rights (OCR) and the HHS Office of the General Counsel (OGC), developed a downloadable SRA Tool to help guide you through the process.

The SRA Tool takes you through each HIPAA requirement by presenting questions about your organization’s activities. Your “yes” or “no” answer will show you if you need to take corrective action for that particular item.

You can document your answers, comments, and risk remediation plans directly into the SRA Tool. Resources are included with each question to help you:

  • Understand the context of the question

  • Consider the potential impacts to your PHI if the requirement is not met

  • See the actual safeguard language of the HIPAA Security Rule

The tool serves as your local repository for the information and does not send your data anywhere.

Completing a risk assessment requires a time investment. At any time during the risk assessment process, you can pause to view your current results. The results are available in a color-coded graphic view (Windows version only) or in printable PDF and Excel formats. 

For details on how to use the tool, download the SRA Tool User Guide [PDF - 2.2 MB]*.

Back to Top