New HIPAA Tool Released by the Federal Government – Makes Assessing Risks Easier and It Won’t Cost You a Dime

Do you lie awake at night wondering if you or the health care entity for which you work is complying with the Health Insurance Portability and Accountability Act (“HIPAA”)? If so, you will be happy to hear that a good night’s sleep might be in your future.

The government recently released a new software tool, called the Security Risk Assessment Tool (“SRA”), which can be used by organizations to identify HIPAA vulnerabilities. According to the press release issued by the U.S. Department of Health and Human Services (“HHS”), the SRA is geared toward small to medium sized organizations, and it is “designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations . . . .” 

Entities that have access to or handle protected health information, such as covered entities and business associates, are required by HIPAA to perform risk assessments of vulnerabilities to protected health information, including a review of HIPAA required administrative, physical, and technical safeguards. Failure to perform a proper risk assessment as required by HIPAA can lead to large penalties. HHS hopes that the SRA will improve providers’ compliance with HIPAA.

The SRA, as well as instructions and an additional description of the SRA’s features and functions, are available here. The SRA is designed as a series of questions. By answering the questions, providers will be guided through the HIPAA risk assessment process to identify security risks to protected health information. According to, the SRA contains resources with each question to help providers do the following:

  • Understand the context of the question;
  • Consider the potential impacts to your PHI if the requirement is not met; and
  • See the actual safeguard language of the HIPAA Security Rule

Note that this process will likely be time consuming as the SRA contains a total of 156 questions. However, providers do not need to complete all questions at once – the SRA permits users to save their progress and continue at a later time.

Although the SRA may seem like a miracle for some providers, the SRA contains a disclaimer that it does not guarantee compliance with federal, state, or local laws. Therefore, while HHS notes that the SRA produces a report that can be submitted to auditors, you should be aware that your use of the SRA does not guarantee that you will be protected from potential HIPAA breaches and fines. You should still consult with an experienced health care attorney for advice regarding your obligations under the law.

The Health Law Gurus™ will continue to follow issues regarding HIPAA tools and compliance.

You can read the HHS press release here.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Obermayer Rebmann Maxwell & Hippel LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.