The Government Is Here To Help: HHS Releases HIPAA Security Risk Assessment Tool For Small Providers


The U.S. Department of Health and Human Services ("HHS") has just released a new security risk assessment ("SRA") tool to assist small and medium sized health care practices (one to ten providers) conduct a HIPAA risk assessment of their organization.

The HIPAA Security Rule requires that all health care organizations that are HIPAA covered entities or business associates must conduct a thorough and accurate risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. The results of the HIPAA audits conducted by the HHS Office for Civil Rights and recent HIPAA breach settlement agreements highlight the importance OCR places on HIPAA risk assessments. However, many smaller physician practices do not know how to complete a risk assessment that meets the HIPAA Security Rule requirement.

The SRA tool is a free software application for Windows operating systems and iOS iPad that a health care practice can download and use to assist in reviewing its implementation of the HIPAA Security Rule. The 156-question tool addresses the implementation specifications included in the HIPAA Security Rule and covers basic security practices, security failures, risk management, and personnel issues. The tool also identifies issues to consider in responding to the questions, possible threats and vulnerabilities, and examples of safeguards the organization may adopt. HHS says that the tool allows providers to "conduct and document a risk assessment in a thorough, organized fashion at their own pace." The application produces a report that the practice can later provide to auditors. Because the practice downloads the application, the government will not have access to assessment results unless the practice chooses to share that information. The SRA tool is solely for the purpose of conducting an internal HIPAA risk assessment as required by the HIPAA Security Rule and does not produce a statement of compliance and does not assess compliance with provisions of the HIPAA Privacy Rule.

The Office of National Coordinator for Health Information Technology is soliciting comments on the new SRA tool until June 2, 2014. Comments may be submitted to this address:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akerman LLP - Health Law Rx | Attorney Advertising

Written by:


Akerman LLP - Health Law Rx on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.