HHS's New Security Risk Tool for HIPAA Compliance


On March 28, 2014, the HHS Office of the National Coordinator for Health Information Technology (ONC), in conjunction with the HHS Office for Civil Rights (OCR), released a Security Risk Assessment tool (SRA tool) to assist small- to medium-sized providers as they perform a security risk assessment, as required by the HIPAA Security Rule.

Often a daunting (and expensive) task, a security risk assessment is meant to uncover potential weakness in a provider's security policies, procedures and systems to prevent data breaches and other security incidents. A security risk assessment is the first step in HIPAA's core compliance obligations, and the lack of conducting a proper security risk assessment is the first issue cited in every enforcement action in this area. In the past, some of the largest penalties have been levied against those entities that experienced a data event, but failed to conduct a proper security risk assessment.

With the SRA tool, HHS is seeking to simplify the process for smaller providers. The SRA tool takes a provider through each HIPAA requirement by asking a series of "yes" or "no" questions (156 total) about an organization's activities. Every "yes" or "no" question will explain whether corrective action should be taken for a particular item. Notably, each question provides resources to help providers (1) understand the context of the question; (2) consider the potential impacts to the entity's PHI if the requirement is not met; and (3) see the actual safeguard language in the HIPAA Security Rule. All answers, comments and risk remediation plans can be saved directly in the tool. The results can be printed in PDF or Excel formats to produce a report for auditors.

The SRA tool is currently available for Windows and Apple's iPad operating systems. The SRA Tool application for iPad, available at no cost, can be downloaded from Apple's App Store. More information can be found on the SRA tool's website.

Read the official HHS press release here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Baker Donelson | Attorney Advertising

Written by:


Baker Donelson on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.