What is an SRA? First, it is helpful to know what it is not: An assessment of how an organization meets each of the HIPAA Security Rule requirements. An assessment is only one small step in the process of an SRA. A properly conducted SRA also includes an analysis of the risks, threats and vulnerabilities to the confidentiality, integrity and availability of protected health information. It should be performed on all systems creating, receiving, transmitting or maintaining protected health information – not just the electronic health records system.
Larger organizations (both business associates and covered entities) can benefit from reviewing these enhancements to ensure their continued understanding of how OCR will view SRAs and should use this as an opportunity to make sure the organization has an SRA that meets current expectations. Remember, the SRA is the first document requested by OCR in the case of a breach and is almost always cited as an issue in all OCR and States Attorneys' General settlement agreements.
A link to the updated SRA can be found here.