Government targets ‘risky business’ with free HIPAA assessment tool


Last week, the Office for Civil Rights of the U.S. Department of Health and Human Services released a toolkit for covered entities and business associates to use to perform a security risk assessment. The HIPAA Security Rule mandates that covered entities perform a risk assessment to determine the potential vulnerabilities to the confidentiality, integrity and availability of electronic PHI. The requirement for covered entities to conduct a security risk assessment has been in place since the HIPAA Security Rule was promulgated in 2003. The HIPAA Omnibus Rule extended the security risk assessment obligations to business associates effective September 23, 2013. Security risk assessments are mandatory for health care providers seeking payment through the Medicare and Medicaid EHR Incentive/Meaningful Use Programs.

Failure to Conduct Risk Assessments

Nonetheless, very few covered entities or business associates have conducted security risk assessments for a number of reasons: they have focused on compliance with the HIPAA Privacy Rule, which is easier to implement; the HIPAA Security Rule is technical and difficult to put into practice; OCR has issued very little guidance on security risk assessments; small organizations do not have IT staff with the necessary expertise; and engaging an IT firm can be cost-prohibitive. Clearly, the government is aware of these obstacles. In the recent OCR audit of covered entities, 47 of 59 health care providers and 20 of 35 health plans had not conducted a complete or accurate security risk assessment.  

Some Leniency Thus Far

The government has made efforts to educate covered entities about HIPAA security compliance in resolving many complaints and breach investigations in the last 10 years. Only recently has the government imposed significant penalties for ePHI breaches — and those breaches involved ePHI of thousands of individuals, notably, the Affinity Health Plan $1.2 million settlement stemming from returning a leased copy machine without “wiping” the hard drive containing ePHI of over 340,000 health plan members (and failing to address it in the security risk assessment).

That’s about to change. With the release of the security risk analysis toolkit, the government will expect covered entities and business associates to utilize the free resources to conduct a risk analysis. It’s not a “one-size-fits-all” risk assessment tool, but will provide the necessary framework for conducting the security risk assessment.  

Downloadable Software

The software and toolkit can be accessed at, and includes a user guide and tutorial video.

Security risk assessments are a key component of a covered entity’s or business associate’s HIPAA compliance program, which should include: HIPAA privacy and security policies, breach investigation procedures and notification policies, initial and refresher training for workforce members, and updated business associate and subcontractor business associate agreements with third parties and vendors.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McAfee & Taft | Attorney Advertising

Written by:


McAfee & Taft on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.