SECURITY RISK ASSESSMENT (“SRA”) ADDENDUM


Effective as of January 1, 2024 (Version Number: 45292)




All terms not defined herein shall have the meaning ascribed to them in the DAS Standard Incorporated Terms and Conditions.

Security Risk Assessment (“SRA”) - If the executed COF includes “SRA” in any form, the following additional terms and conditions apply:

  1. Unless specifically included on the COF, SRA is not included in any Services. 
  2. If included, SRA services (as outlined below) will be provided during each Calendar Year for which (a) the SRA was initially ordered, provided that the UFC was paid, or (b) 12 months’ MSC has been paid or agreed to be paid, and there has been no default or late payments by Client, or (c) a full year of MSC has been paid in advance.
  3. A “Security Risk Assessment” subscription on the COF includes the following services:
    1. Annual comprehensive HIPAA Security Risk Assessment tool, including: Satisfy Merit-Based Incentive Payment System (MIPS) Requirement: Security Risk Analysis – Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), Executive Summary Report, Detailed Findings Report, and Work Plan
    2. On-Demand HIPAA Employee Training, including Engaging Training Videos, Compliance Testing with Security Tips and Best Practice Reminders, Employee Certificates and Administrator Training Reports 
    3. Use of Compliance Portal, including: Employee Access to HIPAA Policies and Procedures, Business Associate Tracking, Security Incident Module, Server Room Access Tracking, Disaster Recovery Plan Storage, Articles and Reference Materials, and Contracts and Document Storage
    4. 19 Customizable HIPAA Policies and Procedures Templates, including: Sample Administrative, Physical and Technical Safeguard Policies
  4. Upon request, DAS may be able to provide Client with access to purchase additional Cyber Insurance through its vendor. It is the Client’s responsibility to retain evidence of any insurance policies purchased and work directly with those institutions. 
  5. In the event that the number of Client’s employees exceeds the maximum number included in the purchased package, the Client will be automatically upgraded to the next tier to accommodate the additional employees. Client will be notified of such change and offered a list to verify and reconcile employees. It is the Client’s responsibility to ensure employees in the portal are accurate.  
  6. It is Client’s sole responsibility to ensure that Client is in compliance with HIPAA and all other applicable local, state, and federal laws and regulations. The SRA does not take the place of Client’s diligence and responsibility for compliance, and is only a tool to provide assistance in such compliance. DAS shall have no liability to Client for any loss occasioned by Client’s conduct or the conduct of Client’s officers, agents, contractors or employees. In no event shall DAS be liable to Client for direct, indirect, incidental, or consequential damages, it being understood and agreed that Client hereby expressly waives any and all claims against DAS for any loss, cost, damages or liability that may be incurred by Client as a result of DAS’ acts or failures to act hereunder.