The Government Is Here To Help: HHS Releases HIPAA Security Risk Assessment Tool For Small Providers


The U.S. Department of Health and Human Services ("HHS") has just released a new security risk assessment ("SRA") tool to assist small and medium sized health care practices (one to ten providers) conduct a HIPAA risk assessment of their organization.

The HIPAA Security Rule requires that all health care organizations that are HIPAA covered entities or business associates must conduct a thorough and accurate risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. The results of the HIPAA audits conducted by the HHS Office for Civil Rights and recent HIPAA breach settlement agreements highlight the importance OCR places on HIPAA risk assessments. However, many smaller physician practices do not know how to complete a risk assessment that meets the HIPAA Security Rule requirement.

The SRA tool is a free software application for Windows operating systems and iOS iPad that a health care practice can download and use to assist in reviewing its implementation of the HIPAA Security Rule. The 156-question tool addresses the implementation specifications included in the HIPAA Security Rule and covers basic security practices, security failures, risk management, and personnel issues. The tool also identifies issues to consider in responding to the questions, possible threats and vulnerabilities, and examples of safeguards the organization may adopt. HHS says that the tool allows providers to "conduct and document a risk assessment in a thorough, organized fashion at their own pace." The application produces a report that the practice can later provide to auditors. Because the practice downloads the application, the government will not have access to assessment results unless the practice chooses to share that information. The SRA tool is solely for the purpose of conducting an internal HIPAA risk assessment as required by the HIPAA Security Rule and does not produce a statement of compliance and does not assess compliance with provisions of the HIPAA Privacy Rule.

The Office of National Coordinator for Health Information Technology is soliciting comments on the new SRA tool until June 2, 2014. Comments may be submitted to this address:

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akerman LLP - Health Law Rx | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.