Security Risk Assessments and OneNote


Reading time: <4 minutes | Audience: HIPAA-covered entities | Pre-Requisites: Oxygen-breather, involved in healthcare MIPS compliance and attestation, and certain security responsibilities.

I had the pleasure of providing two separate briefs on compliance, specifically as it pertained to security risk assessments (SRAs). Most of you if not all are aware that a yearly SRA is a required element to MIPS attestation. If I had a chance to make one recommendation that sticks, it would be this: keep it simple, keep it central, and keep it versatile.

Okay, I know technically that was three recommendations. Forgive me.

Make It SOP

Your best bet is always to weave the milestones of compliance into your standard operating procedures.

That is our goal.

Continuous Improvement

Also, since we know that there is always room for improvement, why not aspire to a “continuous improvement” environment? Well, with those two statements as the cornerstone of how we do business here, the interviewer recommended that I hold clinics on the topic. As nice as the compliment was, I took it more as a calling: help others with this daunting task, and maybe even provide some tools that can help.

When you are looking down the barrel of a HIPAA audit, being prepared is always the best policy. For me, getting prepared demands that I get organized!

Speaking of getting organized…

What Are My Options?

You have some options here. For SMBs (Small and Medium-Sized Businesses), there are companies that have service offerings that cost [Austin Power’s Voice] 1 Million Dollars, and honestly – you may spend the same amount of work-hours over-editing its results. It may be more cost-effective to just keep it simple, learn the details behind the corresponding governance, and become a subject matter expert in your own right.

For those organizations that are much larger and need a leg-up, including the scaling tools and automation that comes with it… the 1-Million-Dollar offerings from certain service providers might be the way to go for you.

The contents of this article and the tool that comes with it… free.

What is OneNote?

I have been using OneNote for a few years now, and I am convinced that my life – both professionally and personally – would be very challenging without it!

OneNote is basically your own digital notebook. It runs on smartphones as well as PCs (maybe even Macs, I can’t attest to that). You can easily organize your ideas, to-dos, images, documents, text snippets… you name it!

You can type notes, record audio, sketch or write ideas, and add pictures. It comes complete with several ways to organize and search your data. You can also share your OneNote notebooks with others!

Conducting that SRA is a major step in preparing for and successfully making it through a HIPAA audit. It is with this in mind that I took the time to smash the requirements/questions from the HIPAA Administrative, Physical, and Technical Safeguards questionnaire into an outline form in OneNote.

Free Tool

Having your SRA outline and matching way to collect and organize all related artifacts in OneNote makes it portable, sharable, and flexible. Once you have completed your organization’s SRA, it is simple enough to export into PDF form.

Simply contact me if you would like a copy of this OneNote SRA outline. It is free, and you can bend it, break it, shape it, or alter it however you would like.

I also welcome any input you have on it. This tool is distributed as-is.


I have twisted OneNote into just about every form you can imagine, so if you need some pointers on OneNote or the SRA – please reach out.


For advanced reading on some of these topics, here are some resources for you to check out:

QPP & MIPS Background Information:

HIPAA Privacy Rule (Administrative, Physical, and Technical Safeguards):

NIST Cybersecurity Framework:

What is OneNote?

P.S. OneNote is also HIPAA compliance-ready… all you need is the BAA, which Microsoft will give you. Please note (no pun) that I do not recommend OneNote be used to store ePHI (I do not)… but it’s the thought that counts. Thanks, Microsoft.

#cybersecurity #mips #onenote #security #risk #attestation #securityriskassessment #assessment