Security Risk Assessment (SRA)


Per 45 CFR 164.308(a)(1)(ii)(A), each Medicaid Electronic Health Record Incentive Program (EHR) Eligible Professional (EP) must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the electronic protected health information held by that EP. This webpage provides guidance for NY Medicaid EHR Incentive Program EPs conducting a risk assessment, using the Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment (SRA) Tool.

Note: An EP may opt to use alternative SRA tools and services. It is the EP´s responsibility to ensure that the SRA conducted is compliant.

In collaboration with the Health and Human Services (HHS) Office for Civil Rights (OCR) and the HHS Office of the General Counsel (OGC), ONC developed the SRA tool to help assist providers and professionals as they perform a risk assessment. The tool is available as a set of downloadable Microsoft Word documents, and an optional software application is available online, at no cost. The Word documents and the software application provide similar capabilities.

The documents, SRA application, and additional guidance are available here.

ONC SRA Tool Instructions

The SRA Tool walks through each Health Insurance Portability and Accountability Act (HIPAA) requirement by presenting a question about an organization´s activities. A "yes" or "no" answer will show if corrective actions are needed for that particular item. The Tool is divided into three documents:

  1. Administrative Security Questions (73 questions)
  2. Technical Security Questions (45 questions)
  3. Physical Security Questions (38 questions)

There is a total of 156 questions.


  • The SRA must be conducted within the same calendar year of the EHR reporting period and prior to the date of attestation.
  • Effective payment year 2017, an EP must indicate the SRA completion date in MEIPASS.
  • Effective payment year 2019, an EP must indicate who completed the SRA and their relationship to the EP. Please refer to the following choices for relationship to the EP:
    • Self: is described as the person completing the SRA.
    • Independent Third–Party Consultant: is described as an individual employed by an entity outside of the Ep´s practice
    • Other: is described as an individual who is not the EP or an independent third–party consultant. For example, an individual within the internal information technology (IT) department or "IT staff".
  • Effective payment year 2021, an EP has the ability to complete their SRA after submitting their Meaningful Use attestation. MEIPASS will allow providers to input a "Future Date" of completetion within the calendar year of 2021. Providers who utilize this option will need to complete their SRA by the end of the calendar year, and also retain detailed documentation related to it’s completetion.

Additional Resources