HIPAA eCommerce

Free SRA Auditing Tool to Ensure HIPAA Compliance

Updated  |  4 min read

The need for HIPAA security is always changing. Not only does a CE (covered entity) have to keep up with the latest attack methods of hackers, but they must also accommodate the changes in the HIPAA Security and HIPAA Privacy Rule.

To keep up with the latest security threats, it’s vital to do an internal audit of the HIPAA security measures you have already taken, and also discover where your security could use bolstering. The United  States government has provided a free tool at HealthIT.gov to help you accomplish this.

This tool can help identify and assess risk with ePHI in all medical apps, servers, medical portals, websites, kiosks, and more. Let’s take a look at what the SRA tool does—and what it doesn’t do.

It’s important to remember that the SRA tool does not fix problems directly. The SRA tool helps identify strengths and weaknesses in HIPAA security, but every CE needs to do the legwork to fully protect the patient data and consumer information in their care.

There’s No Such Thing as HIPAA Certification

There’s no such thing as “HIPAA certification.” Some companies will try to sell the idea of HIPAA certification, but the federal government does not recognize any certification in HIPAA. The company is only offering its own certification, which really doesn’t mean much of anything.

A company offering “HIPAA certification” is not necessarily any better than one that doesn’t make the claim. What does matter is the experience and track record of a vendor to help you with HIPAA compliance.

SRA HIPAA Auditing Tool

What the SRA HIPAA Auditing Tool Does

The SRA tool will ask questions about the steps you’ve already taken and assess their current usefulness. It will also bring up aspects of HIPAA medical compliance that you might not be familiar with, so it can be an excellent eye-opener for many CEs. The SRA tool:

Addresses What You’ve Already Done

There’s no doubt that you’ve already taken significant steps to protect HIPAA data with proper security, and the SRA tool acknowledges that. Because the tool delivers some information in graph form, seeing where you start out and where you end up can be very satisfying.

security measures taken
identifying problem areas

Identifies Problem Areas

This is where the SRA really shines. Based on your answers to the questions, it will let you know where your security is lacking and give you a list of areas that need to be addressed to make your information storage more HIPAA compliant.

Tells You Where Your Greatest Risks Lie

There is a significant difference between what we just talked about—identifying problem areas—and discovering where your greatest risks lie. For instance, the SRA tool might identify six problem areas, but just one of them may be more important to fix than the other five. In other words, fixing that one huge security issue could be more important than fixing five smaller issues.

list of risks
Guiding Long-Term Maintenance

Guides Long-Term Maintenance

The tool isn’t just about telling you what you’re doing right and what you’re doing wrong. It will also make recommendations for how you can plan for future updates.

Assesses Administrative and Physical Risks

The SRA tool isn’t just assessing technical safeguards. While making sure you're up-to-date with on-premises or Cloud data protection is incredibly important, the SRA will also address administrative and physical safeguards for all your HIPAA medical needs. This gets many CEs thinking about the necessary training for employees and security for physical devices that hold ePHI. You need to make sure you technical and physical safeguards are HIPAA compliant.

assessing admin and physical risks
future intent

Proves Future Intent

Once you create an SRA and put a plan in place, this document can serve as an excellent report to deliver to HIPAA administrators if there is a breach. Showing that you were taking steps to work toward industry best practices may help reduce fines HIPAA officials levy.

What the SRA HIPAA Audit Tool Doesn’t Do

The SRA is very impressive for a free tool and is an excellent starting place for risk assessment, but it won't do everything you need to mitigate your risks. You’ll still need additional tools, many requiring a HIPAA developer, to make your site as secure as possible.

what the sra hipaa audit tool doesn't do
sra tool identifying problems

It’s Not Fixing Problems

The SRA is identifying problems, not fixing them. You will be told where your site security should be bolstered, but you need to take those steps.

It’s Not Performing Pen Tests

The SRA is not directly performing penetration testing on your site to look for vulnerabilities. That will require additional software, some of which might be provided by your HIPAA-compliant web hosting choice.

pen tests
custom ecommerce software

Working With Clarity

As we mentioned before, there’s no such thing as HIPAA certification. Similarly, there’s no “HIPAA compliance number” you’re chasing to ensure you’re off the hook if a breach does occur. You're simply expected to follow the rules and guidelines of HIPAA law, and this often means following industry best practices. HIPAA experts know what these practices are.

Many of these practices are outlined in the SRA, and working with an experienced developer can ensure you’re matching the standards that will prove you’ve taken steps to protect the ePHI in your care. It’s an excellent idea to review the information in an SRA report on a regular basis with anyone in your company tasked with handling ePHI or maintaining PHI physical safeguards.

Clarity has dozens of articles on our website about HIPAA compliance and how you can improve your data protection efforts. We also offer a complimentary discovery process to help you create a plan based on the SRA and the decade-plus experience we have to offer. Get in touch to schedule a meeting with our HIPAA experts today.

Related Posts

Stephen Beer is a Content Writer at Clarity Ventures and has written about various tech industries for nearly a decade. He is determined to demystify HIPAA, integration, and eCommerce with easy-to-read, easy-to-understand articles to help businesses make the best decisions.