Gulf Coast Regional Extension Center


What is an SRA?

The Security Risk Analysis (SRA) is a Health Information Portability and Accountability Act (HIPAA) requirement and it is also required by CMS for both Meaningful Use and Merit-based Incentive Payment System (MIPS). However the most important reason to do an SRA is to keep your patients Protected Health Information (PHI) safe. An SRA has to be conducted annually to be compliant with HIPAA and CMS requirements.

The information stored in your Electronic Health Record (EHR) is very attractive to hackers. Your EHR has everything hackers need for identify theft all in one place. Steps to ensure the safety of your patient’s PHI include:

  • Conduct a vulnerability assessment on your network annually
  • Follow security best practices for securing your network
  • Ensure that your security policies define the proper procedures for handling PHI and patients
  • Evaluate your physical security to ensure it limits access to your network equipment

A SRA conducted by GCREC does all the above. The SRA Package given at the completion of our assessment includes:

  • SRA report - describes your current network configuration along with your risk and potential exposures; and gives recommendations on how to mitigate them
  • SRA tool – displays how your risks and potential exposures were determined
  • Action Plan – lists all of the risks and potential exposures, can be used to keep track of the steps of your mitigation process
  • Security Policy Guide – can be used to create your own security policies or to ensure your existing security policies include all areas required by HIPAA

Please contact GCREC if you are interested in securing your network and your PHI.