If your organization offers a group health plan and has access to protected health information (PHI), HIPAA requires you to conduct a Security Risk Assessment (SRA), and the federal SRA Tool just got an important update.
The new version 3.6 of the SRA Tool includes a helpful feature: you can now mark each section individually with the date it was reviewed and the name of the reviewer. This makes it easier to track progress, monitor updates, and ensure the assessment is complete, an important improvement for staying organized and audit-ready.
Who This Applies To
This requirement impacts more employers than you might think. It includes those who sponsor:
- Self-insured or level-funded health plans
- HRAs (including ICHRAs that reimburse more than premiums)
- Health FSAs, unless they’re self-administered and under 50 eligible participants
- Fully insured plans where the employer receives PHI (e.g., through a claims data feed)
It also applies to business associates of these plans. Even fully insured employers may be on the hook for HIPAA compliance if they access PHI or sponsor additional plans like HRAs or FSAs.
Why It Matters
HIPAA violations can be costly, up to $50,000 per violation per day, and often stem from missing or outdated SRAs. The SRA is the foundation of your HIPAA compliance program, guiding how you safeguard PHI, develop internal policies, and train employees. Failing to conduct one, or failing to update it after significant changes, can trigger penalties, corrective actions, and even litigation.
What Employers Should Do
- Download the updated SRA Tool v3.6
- Review and update your existing SRA if needed
- Use the new section-by-section tracking feature to stay on top of reviews
- Confirm with your TPA or vendors that they’re also fulfilling their HIPAA responsibilities
- Train staff who handle PHI on your updated policies and safeguards
Bottom Line
HIPAA compliance isn’t optional, and with the latest updates to the SRA Tool, it’s now easier to stay on track. Use this opportunity to revisit your privacy and security practices, before an audit or breach forces you to.