From the Federal Health IT site
The SRA Tool takes you through each HIPAA requirement by presenting a question about your organization’s activities. Your “yes” or “no” answer will show you if you need to take corrective action for that particular item. There are a total of 156 questions.
Resources are included with each question to help you:
Understand the context of the question
Consider the potential impacts to your PHI if the requirement is not met
See the actual safeguard language of the HIPAA Security Rule
Performing a security risk assessment is not only a good idea it is the law. If you are ever challenged with a HIPAA complaint or audit one of the first things the auditor will ask to see is your risk assessment.
One of the first and most important parts of the assessment is to determine where PHI (Protected Health Information) is stored. Of course you have PHI on your server but you may also have it other places that are not so obvious. You have PHI on your back up, or more likely backups. Where are those? Are they secure?
You may have PHI on the doctor’s laptop, or transferred to a random USB memory stick. What about computers other than the server. Some team members keep copies of patient data on their personal workstation.
Once you have located the data is it secure? If your computer is stolen or you lose a memory stick that is considered a data breach.
The government guide is certainly useful but it is still cumbersome and confusing. Most dentists would benefit from paying their IT professional to come in and help them with the assessment.