HIPAA resource center

Conducting an SRA is the first HIPAA security requirement, and it may be the most important step in your compliance. The SRA identifies gaps in your compliance and vulnerabilities to threats. Your practice can then address the gaps and vulnerabilities.

There is no single way to conduct an SRA. But a robust SRA includes an administrative and a technical component. The administrative component is the larger part of the SRA. It assesses whether your practice has implemented the various policies and procedures required by HIPAA. It usually takes the form of a series of questions, so it requires active participation by the practice.

The technical component concerns issues such as proper protection of your network by a firewall. Many practices rely on vendors or IT specialists for technical support, and these experts should understand the technical requirements. Some even offer health care SRAs as part of their services. Work with your vendor or IT specialists to document technical compliance.

You should conduct an SRA once a year, or any time your practice operations or technology change significantly. HHS has developed a free tool that helps small practices conduct an SRA. However, security consultants and vendors can also help conduct an SRA, which may benefit from their security and compliance expertise.

People often think of HIPAA as a technology problem, but most of its requirements have to do with setting proper policies. In fact, most breaches of PHI are caused by human error, either because of inadequate policies or because staff did not follow the policies. Outline clear policies and procedures, guided by your SRA, and provide regular staff training. All staff should complete HIPAA awareness training annually, but it is just as important to train staff on your security policies.

A business associate is any outside party that gains access to your PHI as part of the services it provides. Typical examples include EHR vendors, IT service companies, data backup services, outside billing services, and more. Federal law requires BAs to comply with HIPAA to the same extent as clinicians. Identify all vendors that have access to your PHI as part of the services they provide. You must sign a business associate agreement (BAA) with each one. The BAA is a contractual commitment by the BA to comply with HIPAA and protect PHI. If a vendor will not sign a BAA, you must not give them access to your PHI. The Academy has developed a free BAA template (PDF) you may customize for use with BAs.

Doctors and other clinicians are entrusted with patient health information, but federal law also makes them responsible for ensuring that information’s integrity. Clinicians are required to maintain exact copies of ePHI for at least six years, though some states require longer retention. The most common cause of data loss is human error, but health care has also become a frequent target of malware, which may corrupt ePHI. Even in cases of disaster, when a practice’s facilities have been completely destroyed, federal law requires the practice to maintain a copy of ePHI. Today, many practices use cloud services to backup their ePHI. Cloud services offer a number of advantages, including the fact that backup data is stored away from the practice, with redundant copies at more than one location. Cloud backup also typically requires less labor and allows for quicker restoration. But remember that cloud backup services are BAs—they must comply with HIPAA, and you must sign BAAs with them.

Keep all documentation for at least six years, as required by federal regulations. The most important document is your SRA. You should also document your compliance policies and procedures, along with documentation of compliance training. Finally, you must also document any security incidents, including breaches or lost hardware that contains ePHI