Planning your organization’s SRA in 2015

Thursday, May 21 2015

SRA InfographicSecurity Risk Assessments (SRAs), if done correctly, are time-consuming and must not be left to the last minute. The Centers for Medicare and Medicaid Services has estimated a Meaningful Use-related SRA will take approximately six hours of time per eligible provider. Don’t bet on it.

Purdue Healthcare Advisors has performed thousands of SRAs for hundreds of organizations over the past several years, and I can tell you that it takes time to both review the information technology infrastructure and assess the risk to health data. Just checking a box on a U.S Department of Health and Human Services’ HIPAA and/or Meaningful Use (MU) risk assessment checklist doesn’t fulfill the intent of the measure. Organizations must 1) perform an SRA before or during the attestation period, 2) assess the security risk of the Eligible Provider (EP) since they are the ones attesting to MU, and 3) take measures to begin remediating the risk.

You can’t do an SRA in an afternoon, especially if you want to pass a future audit.

So how much time does it take for a proper SRA? For an MU attester in a one-doc, independent practice, we are able to complete a first-time SRA in about 16 hours. That includes about eight hours of on-site data collection and technical testing and eight hours performing the analysis and writing the report. The time allotted is necessary because this initial SRA must provide a good baseline for the provider, and serve as a continuous risk management tool.

The close proximity and shared protocols of an independent medical specialty or primary care group bring the SRA time-per-provider down sharply. We can be in and out of a 20 to 30 provider medical specialty practice (anesthesiology, urology, and orthopedics) in a few days if we don’t run into too many snags. How and where the EHR is hosted and maintained will determine how smoothly these SRAs go.

For Critical Access Hospitals (CAH), the SRA time-per-provider decreases, as well, due to shared efficiencies, i.e. the provider community using the same infrastructure, procedures and policies. We’ll spend roughly 32-40 hours per CAH for those hospitals that have a couple of hospitalists, a handful of physicians, and contracted staff. However, we’ll need to evaluate how agency-contracted staff members are handled from a SRA perspective. Those who have ongoing privileges to access the EHR even though they are not continuously employed do pose a risk.

Move on to medium-sized hospitals with an in-house laboratory, pharmacy, and radiology department; support facilities (cancer centers, surgical centers, etc.); and 15-30 clinics that employ 30-40 providers, and things get more complicated. We’ll spend a minimum of 40-60 hours plus our assessment/documentation time to provide SRA reports for medium-sized hospitals. In a time pinch, we could forgo an on-site, physical walkthrough in favor of a physician survey that asks pertinent IT-related questions. But we still need time to customize the survey, verify that all the EPs have completed it, and analyze the results.

Physician surveys can be substituted, but they still take time.

Large hospitals and health systems have many of the same challenges as their smaller counterparts, only more so. They are likely to have multiple EHRs (one for inpatient and one for ambulatory) and these may or may not interface with one another. They may run multiple patient portals, own a dozen hospitals, operate more than 100 clinics, and employ in excess of 1,000 providers. For these entities, we’ll spend several hundred hours on an SRA. The time allotted will depend on the number of sites, , number of endpoints (computers, etc.), number of clinical applications, and number of Business Associate Agreements (BAAs). In these large organizations, different administrators may own different pieces of the security-risk pie, and we’ll need to interview human resources, health information management, and others to understand that hospital’s particular recipe for risk management.

You may wonder at the number of hours needed to produce a viable SRA and the associated costs of being thorough, but know that Purdue Healthcare Advisors, as a not-for-profit Purdue University entity, works on a cost-recovery basis, and charges only for the resources and time required to complete the project.

Schedule your SRA now or risk being unable to complete it properly.

Type of Organization SRA time allotted per org Ideal time to schedule SRA for January 1 attestation
Small Physician Practices Minimum 16 hours By November 1, 2015
Medical Specialty Groups Minimum 32-40 hours By October 1, 2015
Critical Access Hospitals Minimum 32-40 hours By October 1, 2015
Medium-Sized Hospitals Minimum 120 hours By August 1, 2015
Large Hospitals/Health Systems Minimum 600-800 hours By June 1, 2015


Administrators and practice managers who don’t plan accordingly may be left with very expensive options or very few resources when it comes to crunch time. By November, our team of security advisors is typically completely booked for SRAs. And — although it’s not likely — even if we did have time to perform one for your organization in December, would you have the time to begin making the changes necessary to comply with the measure?

To schedule your SRA, contact Brian McCammon, PHA Managing Advisor-Business/Client Development, at 844-742-3678.

Tags: Health IT Security

Purdue University, West Lafayette, IN 47907 (765) 496-1911

© 2019 Purdue University | An equal access/equal opportunity university | Copyright Complaints

If you have trouble accessing this page because of a disability, please contact Purdue Technical Assistance Program