HHS announces new risk assessment tool for HIPAA security compliance


Recently, the Department of Health and Human Services released an interactive security risk assessment tool intended to assist employers who sponsor self-insured group health plans in complying with their HIPAA security rule obligations. As background, HIPAA requires self-insured group health plans and their business associates to protect the confidentiality, integrity and availability of their electronic protected health information (ePHI). Most importantly in this regard, the law requires that these plans conduct a thorough and accurate assessment of the potential risks and vulnerabilities of their electronic ePHI. The requirement for a group health plan to conduct a security risk assessment has been in place since the HIPAA Security Rule was promulgated in 2003; however, very few group health plans have conducted security risk assessments for a number of reasons. In a recent HHS audit of covered entities, 20 of 35 health plans and 47 of 59 health care providers had not conducted a complete or accurate security risk assessment.

HIPAA security assessment toolWith HHS audit activity increasing and the potential for significant enforcement penalties, it is more important than ever for employers to make sure they have HIPAA privacy and security compliance covered. For example, last year the HHS announced a $1.2 million settlement with the Affinity Health Plan in connection with a HIPAA breach resulting from returning a leased copy machine without “wiping” the hard drive containing ePHI of over 340,000 health plan members.

The new HHS risk assessment software and toolkit can be accessed at http://www.healthit.gov/security-risk-assessment, and includes a user guide and tutorial video.

Security risk assessments are a key component of a covered entity’s or business associate’s HIPAA compliance program, which should include the following elements required by the regulations: HIPAA privacy and security policies, breach investigation procedures and notification policies, initial and refresher training for workforce members, and updated business associate and subcontractor business associate agreements with third parties and vendors.

HIPAA privacy and security rules also apply to health care providers and their business associates.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McAfee & Taft | Attorney Advertising

Written by:


McAfee & Taft on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.