New HIPAA Tool Released by the Federal Government – Makes Assessing Risks Easier and It Won’t Cost You a Dime

April 10, 2014 | By Lawrence J. Tabas

Do you lie awake at night wondering if you or the health care entity for which you work is complying with the Health Insurance Portability and Accountability Act (“HIPAA”)? If so, you will be happy to hear that a good night’s sleep might be in your future.

The government recently released a new software tool, called the Security Risk Assessment Tool (“SRA”), which can be used by organizations to identify HIPAA vulnerabilities. According to the press release issued by the U.S. Department of Health and Human Services (“HHS”), the SRA is geared toward small to medium sized organizations, and it is “designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations . . . .” 

Entities that have access to or handle protected health information, such as covered entities and business associates, are required by HIPAA to perform risk assessments of vulnerabilities to protected health information, including a review of HIPAA required administrative, physical, and technical safeguards. Failure to perform a proper risk assessment as required by HIPAA can lead to large penalties. HHS hopes that the SRA will improve providers’ compliance with HIPAA.

The SRA, as well as instructions and an additional description of the SRA’s features and functions, are available here. The SRA is designed as a series of questions. By answering the questions, providers will be guided through the HIPAA risk assessment process to identify security risks to protected health information. According to, the SRA contains resources with each question to help providers do the following:

  • Understand the context of the question;
  • Consider the potential impacts to your PHI if the requirement is not met; and
  • See the actual safeguard language of the HIPAA Security Rule

Note that this process will likely be time consuming as the SRA contains a total of 156 questions. However, providers do not need to complete all questions at once – the SRA permits users to save their progress and continue at a later time.

Although the SRA may seem like a miracle for some providers, the SRA contains a disclaimer that it does not guarantee compliance with federal, state, or local laws. Therefore, while HHS notes that the SRA produces a report that can be submitted to auditors, you should be aware that your use of the SRA does not guarantee that you will be protected from potential HIPAA breaches and fines. You should still consult with an experienced health care attorney for advice regarding your obligations under the law.

The Health Law Gurus™ will continue to follow issues regarding HIPAA tools and compliance.

We encourage you to share your experiences and thoughts about HIPAA compliance and risk assessments with us and our readers in the comments section below.

You can read the HHS press release here.

Categorized In: Compliance Issues, HIPAA

About the Authors

Lawrence J. Tabas


Lawrence is the Chair for Obermayer’s Health Care Law Department and Election Law Practice Group. Lawrence’s Health Care Law legal experience includes the representation of Pennsylvania County governments in Behavioral Health Managed...

Read More by Author