View Only
  • 1.  Will SRA tool trigger an audit?

    Posted 08-11-2022 11:44 AM
    This almost seems like a silly question, but I figure it can't hurt to ask.  A member of my risk assessment committee shared a concern that if we use the HHS SRA tool, and they find we have entered some kind of information, that it could trigger an audit.  Our compliance department (of one, me) is new and this is our first security risk assessment, so I plan to use the tool as a starting point. The tool is saved to my computer, so HHS shouldn't have access to any information entered into it, right?  I told the committee I would look into whether anyone has been audited by OIG from info they put into the tool.  Has anyone ever heard of this happening? Can it happen? Does HHS have access to the information that goes into the tool?

    Thank you!

    Sarah McGuire
    Compliance Officer
    Default Blank

  • 2.  RE: Will SRA tool trigger an audit?

    Posted 08-11-2022 12:10 PM
    Not a silly question.  I had a similar question and went to my answer person to make sure as well because we are using the tool for many practice locations.  The tool is not connected to the internet.  So HHS does not have access to anything you enter into the tool.  The tool is only installed on your computer and does not have anything connected to "the cloud".  If you want addition confirmation, there is a video on the webpage where the tool is located and the presenters talk about how the tool is not connected to the internet.

    Hope this helps.

    Alicia Sanchez

    Default Blank

  • 3.  RE: Will SRA tool trigger an audit?

    Posted 08-11-2022 01:39 PM
    I love these community sites - where "silly" questions become "I'm glad you brought this up" questions 😁.

    Stephen (Steve) Pavlicek | Community Engagement Manager
    Society of Corporate Compliance and Ethics
    Health Care Compliance Association
    Office: 952.567.6219 | Mobile: 612.207.3172
    6462 City West Parkway | Eden Prairie, MN 55344

    Default Blank

  • 4.  RE: Will SRA tool trigger an audit?

    Posted 08-15-2022 12:27 PM
    A little off the focus but I would think, and I'm not a lawyer, that even though the SRA tool is not accessible to CMS online if a security incident did occur and CMS became involved they might well ask if you had done a risk assessment. At that point, I suspect your legal counsel would advise you to turn over your work product from the SRA tool.


    Charles E. Colitre
    Healthcare Compliance Consultants
    PO Box19164
    New Franklin, OH 44319
    330-807-5499 (cell)

    Default Blank