The CMS risk assessment tool is certainly a viable option. But for reasons I go into here, I really dislike it. I believe that if an eligible provider uses it in good faith to meet the meaningful use requirement, its use is probably fine. I am much less confident it would pass scrutiny for a HIPAA audit, even less confident if it were used in response to a complaint. I have no confidence it would suffice if it were used in response to a breach investigation in which the investigator concludes that, had the entity done an adequate risk analysis, the breach could have been prevented. The tool is quite ineffective, in the hands of a non-expert, of actually identifying threats and vulnerabilities as required by the HIPAA rule.