Security Risk Assessment for Practices

Security Risk Assessments (SRA)…for some, those three words strike fear in the heart of a grown adults. But it doesn’t have to be that way. Perhaps you’ve heard the myth. The one about smaller practices that only take cash, don’t need to follow HIPAA and don’t need to do the security risk assessment? It’s a trap that is potentially very costly and completely unavoidable.HIPAA Myth NPBusiness.ORG

All practices create a medical record when a patient is first seen by that practice. And all medical records are protected by the HIPAA. This means that all of us, as healthcare providers, are bound by these rules and regulations.

HIPAA has two fundamental rules:  privacy and security. This affects everything we do in our practices and needs to be understood by all practice owners and staff.

The HIPAA privacy rule and the security rule both require that practices identify possible threats; assess specific vulnerabilities; determine appropriate and reasonable safeguards and implement the necessary defense mechanisms and policies.

This is not a new topic here on NPBusiness. We’ve covered various aspects of HIPAA here, here, and most recently here. This time though, let’s talk about the Security Risk Assessment.

Security Risk Assessment:

Health and Human Services, The Office of Civil Rights and have provided us with a tool we can use that walks us through how to do an SRA. This video will give you an overview of how to use the tool for your practice. Below will talk more about some of the areas you’ll want to look at.

Keep in mind, there are paper versions of this tool available as well. The tool, in it’s current form (at the time of this post), is available as a Windows exe file and an iOS app for the iPad. There does not appear to be a Mac version available, though at least once resource has an excel file you can use (see resources at the end of the article).

What are some of the areas you need to look at?

Physical Safeguards

  • Where are you accessing patient data?
    • Are offices locked?
    • Is there verbal spillover?
    • Are you using screens protectors to shield from secondary viewing?
    • How secure is the building? Are there alarms?
  • What is your equipment like?
  • Can computers holding patient data be stolen? What about your portable devices?

Administrative Safeguards

  • You need a security officer, have you named one? And yes, it could be yourself.
  • Has everyone been trained appropriately?
  • What are the controls for information access? 
  • Are you doing reassessments? How often?
  • Got policies?

Technical Safeguards

  • Who has access to records?
  • What happens if there is a hard drive crash?
  • Are you using audit logs to monitor activity? (This is almost always built into your EHR).
  • Does the EHR and other software provide for secure, authorized electronic exchanges of information?
  • How secure is your network? Who has access from outside your facility, or even in your waiting room?
  • Think: password managers, backups, encryption, virus/malware protection

Policies and Procedures

  • HIPAA P&P to ensure proper compliance
  • Documentation and retention of records
  • Who are your authorized users and is it documented?
  • What happens when someone leaves your practice?

Organizational Requirements

  • Business Associate Agreements
    • Appropriate vendors
    • Review and update agreements

Doesn’t the EHR take care of all of this?

No. EHRs, for the most part have done a very good job in taking care of their side of the security question, but we have to do ours as well. Even the most advanced EHR is unable to overcome an attempted breach if practices do things such as keeping the password set to “password”.

Practices must extend the security to our facilities, people and procedures.

Once the SRA has been completed, the next required step is to create a plan to make sure your practice is in compliance and stays that way. And of course, this will help protect your practice and the information you are protecting.

I’ve listed some resources below for further information. Of course, there are resources out there that will do this for you, however, consider at least getting started so you know exactly where you stand.


HHS Security rule

SRA  Tool

National Institute of Standards and Technology (NIST)


Policies and Procedures for a Successful Medical Practice – this is a great resource for writing policies and procedures. Comes with templates that you can easily tweak – including for this topic! On Amazon.

Your Turn:

How did you do on your assessment? Did you learn anything?

Leave a Reply

Your email address will not be published. Required fields are marked

This site uses Akismet to reduce spam. Learn how your comment data is processed.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}