Security Risk Analysis (SRA)
Complete your risk assessment and understand your risk level
What is a Security Risk Analysis?
A Security Risk Analysis (SRA) is required by HIPAA. It's a comprehensive evaluation of how you protect patient information. HIPAA Hub guides you through this process with 150+ questions.
Why It Matters
The SRA helps you:
- Identify security risks
- Understand your compliance gaps
- Prioritize what to fix first
- Create a roadmap for improvement
- Prove to auditors that you've assessed your risks
How to Complete Your SRA
Step 1: Access the Risk Assessment
- Go to your Dashboard
- Click "Risk Assessment" in the sidebar
- Click "Start Assessment" or "Continue Assessment"
Step 2: Answer the Questions
HIPAA Hub will ask you about:
Technology & Systems
- What EHR system you use
- How you store patient data
- Your email and communication tools
- Cloud services you use
- Backup and recovery procedures
Physical Security
- Office access controls
- How you secure devices
- Where patient information is stored physically
- Visitor access procedures
Administrative Safeguards
- Who has access to patient information
- How you train employees
- Your incident response procedures
- How you manage business associates
Technical Safeguards
- Password policies
- Encryption methods
- Access controls
- Audit logging
Time Required: 30-60 minutes
Tips:
- Answer honestly - this helps you identify real risks
- Don't rush - take time to think about each question
- You can save and come back later
- If you're unsure, answer conservatively
Step 3: Review Your Results
After completing the assessment, HIPAA Hub will show you:
Your Risk Level:
- Low Risk: Good security practices, minimal gaps
- Medium Risk: Some areas need improvement
- High Risk: Significant gaps that need attention
Your Risk Score: A percentage showing your overall risk level
Action Items: A prioritized list of things to fix
Compliance Status: How ready you are for an audit
Understanding Your Risk Level
Low Risk (Green)
- Strong security practices
- Most requirements met
- Minor improvements needed
- Generally audit-ready
What to do: Maintain your current practices, address any action items
Medium Risk (Yellow)
- Good foundation
- Some gaps need attention
- Improvements needed in specific areas
- May need work before audit
What to do: Focus on high-priority action items, generate missing policies
High Risk (Red)
- Significant security gaps
- Critical improvements needed
- Not ready for audit
- Immediate action required
What to do: Address critical action items first, complete all policies, upload evidence
Action Items from Your SRA
After completing your assessment, HIPAA Hub creates action items based on your answers. These are organized by:
Priority:
- Critical: Must be addressed immediately
- High: Should be addressed soon
- Medium: Important but not urgent
- Low: Nice to have improvements
Category:
- Missing policies
- Security improvements
- Training needs
- Evidence requirements
Annual Renewal
HIPAA requires annual risk assessments. HIPAA Hub will remind you when it's time to renew.
To update your assessment:
- Go to Risk Assessment
- Click "Update Assessment"
- Answer questions again (your previous answers are saved)
- Review changes in your risk level
Common Questions
Q: What if I don't know the answer to a question? A: Answer based on your best understanding. You can always update your assessment later.
Q: Can I change my answers? A: Yes, you can update your assessment at any time.
Q: How often should I complete this? A: At least annually, or whenever you make significant changes to your systems or processes.
Q: What if my risk level is high? A: Don't panic. Focus on the critical action items first. HIPAA Hub will guide you through improvements.
Next Steps
After completing your risk assessment:
- Review your action items
- Generate missing policies
- Upload evidence
- Address critical security gaps
- Complete employee training