EHR Incentive Program SRA Checklist: What to Document, Validate, and Remediate

Mandatory Annual Security Risk Assessment

Your security risk analysis (SRA) is an annual, non-negotiable requirement tied to EHR Incentive Program attestation requirements and HIPAA compliance. The assessment must address the confidentiality, integrity, and availability of electronic protected health information (ePHI) across your entire environment, including hosted EHRs, interfaces, and business associates.

Document the full scope of systems that create, receive, maintain, or transmit ePHI; validate that safeguards are functioning; and remediate any gaps through prioritized actions. Repeat the SRA whenever you experience significant changes—new locations, EHR upgrades, mergers, cloud migrations, or security incidents.

What to include in scope

• All clinical and back-office systems handling ePHI (EHR, HIE interfaces, patient portals, billing, imaging, backups).
• Users, roles, and access pathways (remote access, mobile devices, telehealth workflows, third-party connections).
• Physical locations (clinics, home offices, data centers) and network segments (on-premises and cloud).

Validation focus

• Encryption at rest/in transit, multi-factor authentication, account provisioning/deprovisioning, and patch management.
• Backup integrity tests, disaster recovery drills, logging/monitoring, and incident response readiness.
• Business associate agreements and vendor security assurances relevant to ePHI handling.

Remediation cadence

• Prioritize high-risk items for near-term fixes; document interim compensating controls where needed.
• Track all findings to closure with owners, target dates, and evidence of completion.

SRA Documentation Requirements

Strong audit documentation proves you performed due diligence. Keep a complete, dated record that shows how you analyzed risk, validated controls, and executed remediation. Retain records according to policy and regulatory retention expectations.

Core deliverables to maintain

• Statement of scope and methodology (including systems, data flows, locations, and stakeholders).
• Asset and data-flow inventories mapping where ePHI is stored, processed, and transmitted.
• Threat/vulnerability analysis with likelihood and impact ratings; overall risk scoring.
• Control evaluation results (administrative, physical, and technical) with test procedures used.
• Evidence pack: screenshots, configuration exports, vulnerability scan reports, backup restore logs, and MFA/encryption proofs.
• Policies and procedures reviewed or updated (access control, incident response, device/media, contingency, change management).
• Risk register listing findings, severities, owners, milestones, and current status.
• Approved corrective action plan covering timelines, resources, and acceptance criteria.
• Leadership sign-off and attestation readiness memo summarizing results and residual risk.

Utilizing the ONC SRA Tool

The ONC SRA Tool helps you structure a thorough security risk analysis, but it does not by itself guarantee HIPAA compliance. Use it as a framework, then supplement with technical testing and organization-specific validation.

Practical steps

• Set up your practice profile and complete each module, ensuring scope includes all ePHI systems and workflows.
• Answer questions with evidence; attach artifacts directly to items (configs, screenshots, logs).
• Use the tool’s summaries to inform your risk register and corrective action plan.
• Export the final report and keep it with your SRA documentation set for audits.

Validation and remediation tips

• Corroborate tool responses with hands-on tests: restore a sample backup, review audit logs, and verify MFA on high-risk accounts.
• Translate high-risk responses into concrete remediation tasks with owners and deadlines.

State-Specific SRA Checklist Compliance

Some states publish supplemental SRA expectations tied to EHR Incentive Program or Medicaid-related reviews. Build a crosswalk from your SRA findings to the state checklist so you can demonstrate compliance quickly during desk or on-site audits.

How to align

• Map state checklist items to your risk register, policies, and test evidence; note where artifacts reside.
• Document provider types, locations, and service lines included; explain any exclusions and compensating controls.
• Record dates of assessment activities to show they align with your reporting period and attestation requirements.

Remediation expectations

• Address state-flagged high-risk items first; keep proof of remediation and sign-off.
• If a control will take time to implement, document interim safeguards and a realistic completion date.

Reviewing and Updating the SRA

Treat the SRA as a living process guided by the NIST cybersecurity framework. Re-evaluate risks after material changes and at least annually to confirm controls remain effective and that residual risk is acceptable.

Ongoing review cadence

• Quarterly risk register reviews to update statuses and adjust priorities based on emerging threats.
• Change-driven mini-assessments for new vendors, integrations, locations, or major software updates.
• Tabletop exercises to validate incident response and disaster recovery.

Metrics and evidence

• Key indicators: patch latency, backup success and restore time, MFA coverage, privileged access reviews, and phishing test results.
• Maintain versioned SRA reports, evidence packs, and leadership approvals to support future audits.

Developing Corrective Action Plans

A corrective action plan translates SRA findings into measurable improvements. It should be risk-based, time-bound, and aligned to budget and staffing realities.

Effective CAP structure

• Finding summary with root cause and impacted systems/workflows.
• Regulatory mapping (e.g., relevant HIPAA Security Rule standards) and business impact.
• Remediation tasks with owners, milestones, and required resources.
• Acceptance criteria, test/validation steps, and required evidence for closure.
• Residual risk statement for any deferred items with executive sign-off.

Prioritization and follow-through

• Address critical risks first (unpatched internet-facing systems, missing encryption, weak access controls).
• Document quick wins to reduce exposure immediately while longer projects proceed.
• Close tasks only after validation tests confirm the control works in production.

Handling Group Submissions for SRA

For group attestations, one SRA can cover multiple providers if it fully reflects the common environment where ePHI is handled. You must document any site-specific variations and ensure each provider’s workflows, locations, and technologies are included.

Group coverage checklist

• Define organizational boundaries (legal entities, tax IDs) and all locations in scope.
• Confirm certified EHR technology usage and common security controls across the group.
• Record provider-level exceptions (unique devices, specialty systems, remote sites) and evaluate their risks.
• Align business associate oversight and data-sharing agreements to the group environment.
• Obtain leadership and provider representatives’ sign-off acknowledging the SRA’s applicability.

Conclusion

Use this EHR Incentive Program SRA Checklist to document your scope and findings, validate control effectiveness, and remediate risks through a disciplined corrective action plan. Align to the NIST cybersecurity framework, retain robust audit documentation, and revisit the SRA after changes to keep your HIPAA compliance posture strong.

FAQs.

What is the deadline for completing the SRA in the EHR Incentive Program?

Complete and document the SRA for each year you attest, no later than the end of the EHR reporting period you are attesting for. Aim to finish early enough to remediate high-risk findings before attestation and maintain clear evidence of completion and sign-off.

What documentation is required for the SRA?

Maintain scope and methodology, asset and data-flow inventories, a threat/vulnerability analysis with risk ratings, control test results, an evidence pack (screenshots, logs, scan reports), updated policies, a risk register, an approved corrective action plan, and leadership sign-off to support audit documentation.

Can one SRA cover multiple providers in a group submission?

Yes—if the SRA covers the entire common environment where ePHI is handled, documents site-specific differences, and includes each provider’s technologies and workflows. Obtain group-level sign-off and keep evidence that controls apply consistently across locations.

How should identified risks be remediated after an SRA?

Create a corrective action plan that prioritizes high-risk items, assigns owners and deadlines, defines acceptance criteria, and requires validation testing. Document interim safeguards for deferred items, collect closure evidence, and update the risk register until all actions are complete.