COVID-19 UPDATE: Layer3 is currently open Monday through Friday 8AM to 5PM for remote support and remote consultations ONLY. On-site support requests will be handled per incident, and on an emergency basis only. On-site consultations will resume once COVID-19 restrictions are lifted. Please contact our help desk at help@layer3nj.com or visit https://helpdesk.layer3nj.com if you have an immediate issue.

How do we perform our HIPAA Security Risk Assessment (SRA)?

One of the first things we'll do when we start working with you is perform a HIPAA Security Risk Assessment (SRA). We are extremely thorough, and do not just focus on the technological aspect of the SRA. We review everything - your BAA's with vendors, your current polciies and controls, employee knowledge, and physical/electronic security safeguards.

  • Privacy Rule Audit: The standards we address for this assesment are located in the HIPAA Privacy Rule, and relate to availability and access of Patient records, as well as it's use, disclosure, and authorization of access.

  • Security Rule Audit: The standards we address for this audit are found in the HIPAA Security Rule. We not only audit technical and physical security safeguards, we also audit administrative.

  • IT Security Audit: We perform an audit which will determine any areas of risk which require mitigation. This includes (but isn't limited to) hardware, software, network, and other technology your practice employs.

  • Asset and Device Audit: We perform a physical and electronic (software, licenses, etc.) inventory of all devices that are authorized by your practice to have access to ePHI. As part of our Healthcare Managed IT Services, we provide an on-site inventory system for all future SRA's.

  • Physical Site Audit: We assess the physical security of your building - including camera angles, physical access controls (like locks, etc.), and locations where PHI or ePHI are kept.

  • HITECH Subtitle-D Audit: This is an audit that most IT MSP's miss, but not us. We audit any documents and processes regarding breaches and the breach notification process.


  • We then take this information, along with the feedback of what you're looking for from your practice's IT infrastructure, and then build a package unique to you and your practice.