Who’s Completing Your HIPAA SRA This Year? How to Decide

The deadline for submitting your HIPAA security risk assessment (SRA) is getting closer. 

And the biggest mistake small and medium-sized businesses (SMBs) can make is waiting until the last minute to start thinking about the assessment.  

Many healthcare organizations, especially small ones, feel heavily burdened by the complexities of the HIPAA assessment process, but that burden can be alleviated if you start tackling SRA-related tasks far in advance. 

One of those critical tasks is deciding who in your organization should complete the assessment. Many small organizations don’t have a dedicated internal employee to handle compliance full-time, so when the time comes to start the SRA process, they struggle to pick a point person to complete and submit the assessment by the deadline. 

When is the HIPAA SRA Deadline? 

Organizations must perform security risk assessments at least once annually to maintain compliance with HIPAA regulations. The SRA must be submitted by December 31st of each year.  

The SRA process is extensive, so many SMBs will hold off getting started and then rush to meet the deadline. This leads to inaccurate assessments and incomplete security protocols, so waiting until the last minute to figure out who will do the assessment and how isn’t wise.  

Fortunately, it’s not too late to begin the SRA process for this year and be more than ready for the approaching deadline.  

Who Should Complete the HIPAA Assessment? 

The first thing covered entities should decide is who will complete the HIPAA assessment. Establishing a point person will ensure the SRA is accurately completed and submitted by the deadline. There are several different options to consider:

Appointing a Compliance Champion 

One approach is to designate an internal compliance champion or SRA owner who will handle the SRA within your organization. For SMBs, this might be a Practice Manager or member of the IT staff. Ideally, this person should be well-versed in HIPAA regulations and deeply understands your organization’s operations. To officially appoint the person responsible for the SRA, you should: 

• Identify the Need: Begin by clearly defining the role of the compliance champion and the specific responsibilities they will have. Determine why you need to fill this role and how they will contribute to your organization’s compliance efforts. 
• Describe the Job: Whether it’s an internal existing resource or a new hire, it’s important to create a detailed job description outlining what this role will entail and its ideal qualifications, skills, and experience. This description should include a clear understanding of HIPAA regulations and compliance requirements. 
• Search and Assess: Start searching, assessing, and interviewing candidates. If you work at a smaller organization where there aren’t many options, you should still try to pick a person who is a fast learner and has some familiarity with HIPAA regulations. 
• Select a Candidate: Choose the candidate who best meets the requirements and demonstrates a strong commitment to compliance. Ensure that the selected individual has the necessary skills and knowledge to carry out the responsibilities effectively. 
• Train and Support: Especially if your internal compliance champion ends up being your office manager or IT person, providing training and resources is the best way to help them fulfill their duties effectively. This may include ongoing education about HIPAA regulations, compliance best practices, and any specific tools or software they need. 

Alternatively, you can hire an external compliance expert who specializes in healthcare compliance. They can bring fresh perspectives and expertise to the assessment process, ensuring a thorough evaluation of your compliance efforts without burdening your team. 

Hiring a Contractor 

If you don’t have the budget to invest in an SRA owner or you lack the necessary in-house expertise and resources, hiring an external contractor can be a viable option. These contractors are often well-versed in conducting SRAs for healthcare organizations. They can bring a wealth of experience and objectivity to the assessment, ensuring a comprehensive evaluation of your security risks. Make sure to vet contractors carefully and choose one with a solid track record in healthcare compliance. 

Hiring a contractor, especially if they’re not a compliance expert, may complete an inaccurate assessment and come with expensive hourly rates, so conduct thorough research on potential options before proceeding with this route. 

Partnering with an Expert-Supported Solution 

For a more streamlined and efficient approach, consider using an expert-supported automated solution. These software tools are designed to guide you through the SRA process step by step, making it easier for your appointed team member to complete the assessment accurately.  

Additionally, solutions can come with the support of certified expert assessors who can guide an employee with any level of compliance experience through the SRA. Assessors explain assessment questions and requirements and guide you through the entire completion and submission process.  

This option can save time and reduce the risk of human error in the assessment process, plus help your appointed person understand how to complete the assessment the following year autonomously. Additionally, your compliance champion will be able to help fix gaps and vulnerabilities that were identified in the assessment with the help of an expert-supported solution. 

Must-Know HIPAA Security Risk Assessment Requirements 

Once you decide who will be completing your SRA, make sure that regardless of their expertise level, they know the following:  

• SRA Frequency: The first fundamental requirement is understanding how often to complete the SRA. According to HIPAA regulations, SRAs should be conducted at least once a year to ensure ongoing compliance. However, it’s crucial to note that significant changes in your healthcare system, such as implementing new technology or processes, may trigger the need for additional assessments. 
• Assessment Questions: Those tasked with the SRA should be familiar with the types of questions that will be asked. Typically, SRAs involve a comprehensive examination of your organization’s security measures, including technical, administrative, and physical safeguards. Questions may cover topics like data encryption, access controls, incident response procedures, and workforce training. 
• Delegating Sections: Your assigned point person should recognize that not all aspects of the SRA may fall within their expertise. It’s essential to delegate certain parts of the assessment to more knowledgeable team members or external experts when necessary. This ensures that each aspect of the evaluation is conducted thoroughly and accurately. 

• The Scope of the System: Understanding the scope of the healthcare system is crucial. Your compliance champion should identify all components that interact with protected health information (PHI), including databases, electronic health records (EHRs), and external systems. This comprehensive view helps in assessing vulnerabilities effectively. 
• Documentation: Thorough documentation is a cornerstone of the SRA process. The person completing the assessment should keep detailed records of the process, including the methodologies used, findings, remediation plans, and any actions taken to address identified risks. Proper documentation demonstrates diligence in compliance efforts and provides a valuable resource for future assessments and audits. 
• HIPAA Regulations: The person completing the SRA should be familiar with the various HIPAA regulations beyond just the Security Rule, such as the Privacy Rule and the Breach Notification Rule. These rules work in tandem to protect PHI, and understanding their nuances is vital for comprehensive compliance. 
• Submission Process: After completing the SRA, your compliance champion should be aware of the process for submitting it, particularly if you’re part of a larger healthcare network. The SRA should be submitted to your organization’s designated HIPAA compliance authority to ensure it is appropriately reviewed and integrated into your compliance strategy. Once that’s done, you’ll be able to confidently share the completed assessment if it’s ever requested by a government entity or client.  

Getting Started with the HIPAA SRA  

The decision of who will take the helm in completing the HIPAA security risk assessment is a pivotal first step in your compliance journey. Equipping this individual with the necessary knowledge and resources is paramount to ensure a thorough and effective assessment. Remember, meeting the SRA deadline and maintaining HIPAA compliance are shared responsibilities that demand attention to detail and expertise, and picking the right point person is imperative. 

If you need support, due to limited expertise or a desire for added assurance, check out HIPAA One®, the automated security and privacy compliance solution.  

With certified assessors and powerful automation tools, HIPAA One offers comprehensive solutions to guide you through the entire process, regardless of your level of expertise. Get in touch to get ahead of the SRA deadline and safeguard your organization’s compliance.