HHS Releases a New Security Risk Assessment Tool


The Department of Health and Human Services (HHS) recently released a new security risk assessment (SRA) tool for small- to medium-sized health care providers. HIPAA requires covered entities to conduct periodic assessments of the administrative, physical, and technical safeguards in their handling of protected health information. This new tool will help health care providers conduct and document risk assessments and produce a report that can be provided to potential auditors.

The tool was created jointly by the HHS Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office of Civil Rights (OCR), and its release precedes OCR’s expected launch of a permanent HIPAA audit program. The OCR has previously identified security risk assessments as an area of consistent weakness among covered entities and has said it will be a particular focus for auditors.

Entities using the new tool will be asked 156 “yes” or “no” questions. Each question addresses a specific HIPAA requirement, and additional resources are provided with each question to help providers better understand the language and requirements of the associated HIPAA security rule. In the event that a provider answers “no” or cannot answer an applicable question, the provider must note the need for corrective action and implement a plan immediately.

Providers can download the SRA Tool and additional guidance here. The ONC plans to make updates and improvements to the tool after an initial period of use. Comments regarding the SRA Tool may be submitted here until June 2, 2014.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cozen O'Connor | Attorney Advertising

Written by:


Cozen O'Connor on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.