HHS's New Security Risk Tool for HIPAA Compliance


On March 28, 2014, the HHS Office of the National Coordinator for Health Information Technology (ONC), in conjunction with the HHS Office for Civil Rights (OCR), released a Security Risk Assessment tool (SRA tool) to assist small- to medium-sized providers as they perform a security risk assessment, as required by the HIPAA Security Rule.

Often a daunting (and expensive) task, a security risk assessment is meant to uncover potential weakness in a provider's security policies, procedures and systems to prevent data breaches and other security incidents. A security risk assessment is the first step in HIPAA's core compliance obligations, and the lack of conducting a proper security risk assessment is the first issue cited in every enforcement action in this area. In the past, some of the largest penalties have been levied against those entities that experienced a data event, but failed to conduct a proper security risk assessment.

With the SRA tool, HHS is seeking to simplify the process for smaller providers. The SRA tool takes a provider through each HIPAA requirement by asking a series of "yes" or "no" questions (156 total) about an organization's activities. Every "yes" or "no" question will explain whether corrective action should be taken for a particular item. Notably, each question provides resources to help providers (1) understand the context of the question; (2) consider the potential impacts to the entity's PHI if the requirement is not met; and (3) see the actual safeguard language in the HIPAA Security Rule. All answers, comments and risk remediation plans can be saved directly in the tool. The results can be printed in PDF or Excel formats to produce a report for auditors.

The SRA tool is currently available for Windows and Apple's iPad operating systems. The SRA Tool application for iPad, available at no cost, can be downloaded from Apple's App Store. More information can be found on the SRA tool's website.

Read the official HHS press release here.

Topics:  Compliance, Cybersecurity, Data Breach, Data Protection, HHS, HIPAA, OCR

Published In: Health Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Baker Donelson | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »