Browse Skills

HIPAA Security Risk Assessment (SRA)

    HIPAA Security Risk Assessment ePHI Healthcare Compliance SRA HHS/OCR
    Get Started with This Skill

    Overview

    Draft and validate the Security Risk Assessment required by the HIPAA Security Rule (45 CFR §164.308(a)(1)). Maps ePHI assets to threats, vulnerabilities, and safeguards across administrative, physical, and technical categories. Produces the SRA report and risk register aligned with HHS/OCR audit protocol.

    Example Conversation

    You: We need a HIPAA Security Risk Assessment for our EHR platform and patient portal. We have about 15 ePHI-touching systems. Can you draft the SRA and risk register, then validate it?

    Agent: I’ll inventory the ePHI assets you described, map threats and vulnerabilities per NIST SP 800-30, document administrative, physical, and technical safeguards in place, rate risk as likelihood × impact, and build the risk register with remediation owners and target dates. Then I’ll run sra_safeguard_coverage_check on the draft.

    Agent: Created sra-report.md. Running sra_safeguard_coverage_check

    Agent: Check FAIL — the document covers administrative and technical safeguards but the physical safeguard section is missing. Also, two ePHI references have no nearby threat/vulnerability pairing. I’ll add the physical safeguard section (facility access, workstation security, device disposal) and pair the missing assets with threats.

    Agent: Updated the report. Re-ran sra_safeguard_coverage_check: PASS — all three safeguard categories present, all ePHI assets paired with threats, likelihood and impact ratings present, remediation items have owners and target dates.

    What the Tools Validate

    The skill includes one extension tool:

    sra_safeguard_coverage_check scans the SRA document for four dimensions of completeness:

    • Safeguard category coverage — The document must reference all three HIPAA safeguard categories: administrative (§164.308), physical (§164.310), and technical (§164.312).
    • ePHI asset–threat pairing — Each ePHI asset reference must have a threat or vulnerability described nearby (within an 8-line window), ensuring no asset is left unanalyzed.
    • Risk ratings — The document must include both likelihood and impact rating references so every risk entry has a quantified risk level.
    • Remediation completeness — Remediation or action items must include an owner/responsible party and a target date to ensure accountability.

    Output: PASS if all four checks are satisfied; otherwise FAIL with per-section detail showing what is missing. Run on the draft after completing the risk register; fix gaps and re-run until the check passes.

    Output Excerpt

    Excerpt from a generated SRA report and sample validator output.

    SRA report (excerpt):

    ## ePHI Inventory

| Asset | System | Data flow | Threats | Vulnerabilities |
|-------|--------|-----------|---------|-----------------|
| Patient demographics | EHR (Epic) | ePHI created, received, maintained | Unauthorized access, ransomware | Unpatched OS, weak access controls |
| Lab results | Lab portal | ePHI transmitted | Interception, data loss | Unencrypted transport |

## Administrative Safeguards (§164.308)
- Security management process: Risk analysis (this document), risk management, sanction policy, IS activity review.
- Workforce security: Authorization/supervision, clearance procedures, termination procedures.

## Physical Safeguards (§164.310)
- Facility access controls: Badge access, visitor logs, contingency operations plan.
- Workstation use/security: Screen lock policy, encrypted drives.

## Technical Safeguards (§164.312)
- Access control: Unique user ID, emergency access, auto logoff, encryption.
- Audit controls: System activity logs reviewed monthly.

## Risk Register
| Risk ID | Asset | Threat | Likelihood | Impact | Risk Level | Remediation | Owner | Target Date |
|---------|-------|--------|------------|--------|------------|-------------|-------|-------------|
| R-001 | EHR | Ransomware | High | High | Critical | Deploy EDR, segment network | CISO | 2026-06-30 |

    sra_safeguard_coverage_check report (excerpt):

    === SRA SAFEGUARD COVERAGE CHECK ===
Result: PASS

Document: sra-report.md

--- Safeguard Category Coverage ---
  administrative (§164.308): FOUND
  physical (§164.310): FOUND
  technical (§164.312): FOUND

--- ePHI Asset / Threat-Vulnerability Pairing ---
  ePHI references found: 4
  All ePHI references have nearby threat/vulnerability context.

--- Risk Ratings (Likelihood × Impact) ---
  Risk entries found: 6
  Likelihood and impact references present.

--- Remediation / Action Items ---
  Remediation references found: 6
  Owner and target date references present.

    Getting Started

    Add your source materials to the project workspace (network diagrams, system inventory, existing policies), then activate the HIPAA Security Risk Assessment (SRA) skill. The agent will guide you through ePHI inventory, threat analysis, safeguard assessment, risk determination, and running sra_safeguard_coverage_check to validate completeness before audit.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started