Skip to content
business documents on office table with smart phone and laptop computer and graph financial with social network diagram and three colleagues discussing data in the background

What happens if an SRA is not conducted?

Security breaches can be costly and damaging for your practice.

The HIPAA Breach Notification Rule, 45 CFR §§164.400-414, requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information.

Covered entities must:

  • Have written policies and procedures regarding breach notification.
  • Train employees on these policies and procedures.
  • Develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.

Who needs an SRA?

  • All providers under HIPAA must perform a risk assessment.
  • Providers seeking EHR incentive payments must conduct a risk assessment.
  • Even with a certified EHR, practices must perform a full security risk assessment.
  • Security requirements cover all electronic protected health information, not just EHR data.
  • EHR vendors can provide information, assistance, and training on privacy and security aspects but are not responsible for HIPAA compliance.
  • Conducting a complete risk assessment is the sole responsibility of the practice.
  • Qsource can provide expert knowledge for a thorough and professional risk assessment.

How can Qsource help?

Our team has been conducting SRAs (Security Risk Assessments) since 2012.
  • We offer personal, in-depth assessments using custom-built assessment tools, policies, and procedures.
  • Our experienced assessors can conduct your SRA onsite or virtually.
  • We can help you identify and correct any deficiencies to maximize incentives and maintain compliance.
  • Working with our team can reduce your practice's administrative burden.
  • We provide you with the documentation you need for compliance audits.