HHS's New Security Risk Tool for HIPAA Compliance

more+
less-

On March 28, 2014, the HHS Office of the National Coordinator for Health Information Technology (ONC), in conjunction with the HHS Office for Civil Rights (OCR), released a Security Risk Assessment tool (SRA tool) to assist small- to medium-sized providers as they perform a security risk assessment, as required by the HIPAA Security Rule.

Often a daunting (and expensive) task, a security risk assessment is meant to uncover potential weakness in a provider's security policies, procedures and systems to prevent data breaches and other security incidents. A security risk assessment is the first step in HIPAA's core compliance obligations, and the lack of conducting a proper security risk assessment is the first issue cited in every enforcement action in this area. In the past, some of the largest penalties have been levied against those entities that experienced a data event, but failed to conduct a proper security risk assessment.

With the SRA tool, HHS is seeking to simplify the process for smaller providers. The SRA tool takes a provider through each HIPAA requirement by asking a series of "yes" or "no" questions (156 total) about an organization's activities. Every "yes" or "no" question will explain whether corrective action should be taken for a particular item. Notably, each question provides resources to help providers (1) understand the context of the question; (2) consider the potential impacts to the entity's PHI if the requirement is not met; and (3) see the actual safeguard language in the HIPAA Security Rule. All answers, comments and risk remediation plans can be saved directly in the tool. The results can be printed in PDF or Excel formats to produce a report for auditors.

The SRA tool is currently available for Windows and Apple's iPad operating systems. The SRA Tool application for iPad, available at no cost, can be downloaded from Apple's App Store. More information can be found on the SRA tool's website.

Read the official HHS press release here.

Written by:

Published In:

HHS
OCR

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Baker Donelson | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.
×
Loading...
×