Matthew S. Arend
Publications

Government Releases New Tool to Assist with HIPAA Security Rule Risk Assessments

March 31, 2014Articles
The Office of Civil Rights (OCR), in collaboration with the HHS Office of the National Coordinator for Health Information Technology (ONC) and the Office of General Counsel (OGC), released a new security risk assessment (SRA) tool for use by small to medium sized health care providers in order to conduct the risk assessments required under the HIPAA Security Rule.

The tool can be downloaded from the HealthIT.gov website and is designed to help practices conduct and document a risk assessment by allowing them to analyze the information security risks in their organizations. The tool functions by taking them through each HIPAA requirement and presenting a “yes” or “no” question about the practice’s activities. There are a total of 156 questions in the SRA and each answer will show the practice whether corrective action may be needed for that particular item. Additional informational resources are also provided with each question to help understand the context of the question, the actual language of the HIPAA Security Rule at issue, and the potential risks and consequences of the requirement is not met.

Conducting a security risk assessment is a key requirement of the HIPAA Security Rule and a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, commonly known as the Meaningful Use Program. While the government cautions that the use of the SRA Tool is neither required by nor guarantees compliance with federal, state or local laws, health care providers can utilize the tool to uncover potential weaknesses in their security policies, processes and systems and can address vulnerabilities, potentially preventing health data breaches or other adverse security events.

The SRA Tool is available at no cost, is entirely self-contained, and can be run on numerous operating systems, including Microsoft Windows and Apple’s iOS for iPad users. The assessment process can be paused at any time and assessment results are available in a color-coded graphic view (Windows version only) or in printable PDF and Excel formats. The SRA Tool has been designed to serve as a local repository for the practice’s risk assessment resources and risk remediation plan and does not send any information entered into it to any other entity.

The SRA Tool, along with videos and other risk assessment guidance from HHS, can be downloaded at http://www.healthit.gov/providers-professionals/security-risk-assessment. The iOS iPad version is available from the Apple App Store (search under “HHS SRA tool”).

Should you have any questions concerning your organization’s HIPAA compliance efforts or implementation, please contact Jennifer Orr Mitchell at [email protected] or Matthew Arend at [email protected].