Security Risk Assessment Tool: TraceSRA

June 24, 2019

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and its business associates conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. To learn more about the assessment process and how it benefits your organization, visit the Office for Civil Rights' official guidance.

What is the Security Risk Assessment Tool (SRA Tool)?

The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), developed a downloadable Security Risk Assessment (SRA) Tool to help guide you through the process. The tool is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program.

What is the TraceSRA Tool?

TraceSRA Security Risk Assessment Tool was modeled after the HHS SRA tool but comes with an improved interface, increased usability and an overall easier experience. TraceSRA is web-based and mobile-friendly. There is nothing to download. It is free to use and the reports are yours to keep.

There are three key pieces to the TraceSRA:

  1. Key stakeholders in your organization can collaboratively answer sets of self-assessment questions focused on three key points: policies, procedures and security controls. TraceSRA will dynamically present next questions based on your answers.
  2. After completion of the self-assessment questions, TraceSRA will identify probably threats based on the aggregate results from previous organizations we have worked with. Our tool will automatically map the impact and likelihood of each threat, but you also have the ability to review these on your own and make changes as you see fit.
  3. Once the threats have been weighted, the results from TraceSRA will be displayed in the Summary section segmented by section. The results are visualized for easy interpretation and are then summarized in detail with potential solutions.


Frequently Asked Questions (FAQs)

Who is this for?
TraceSRA is for individuals or teams that are responsible for their healthcare organizations security program.

The HIPAA Security Rule requires that all entities and associates conduct a risk assessment of their healthcare organization. This is our complimentary, easy-to-use tool to help you meet that requirement.

What frameworks is the TraceSRA founded on?
TraceSRA is based on the Security Risk Assessment (SRA) tool developed by the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR).

TraceSRA was designed to help healthcare providers perform a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Services (CMS) Electronic Health Record (EHR) Incentive plan.

Can I allow others on my team to collaborate with me?
Yes. You can add users to your team from the Company tab in Settings.

Is TraceSRA really free? Are there hidden costs?
Yes, TraceSRA is totally free and there are no hidden costs. TraceSRA is a module on our TraceInsight platform. You and your organization have full access to the TraceSRA module, not no others.