New HIPAA Tool Released by the Federal Government – Makes Assessing Risks Easier and It Won’t Cost You a Dime

Do you lie awake at night wondering if you or the health care entity for which you work is complying with the Health Insurance Portability and Accountability Act (“HIPAA”)? If so, you will be happy to hear that a good night’s sleep might be in your future.

The government recently released a new software tool, called the Security Risk Assessment Tool (“SRA”), which can be used by organizations to identify HIPAA vulnerabilities. According to the press release issued by the U.S. Department of Health and Human Services (“HHS”), the SRA is geared toward small to medium sized organizations, and it is “designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations . . . .” 

Entities that have access to or handle protected health information, such as covered entities and business associates, are required by HIPAA to perform risk assessments of vulnerabilities to protected health information, including a review of HIPAA required administrative, physical, and technical safeguards. Failure to perform a proper risk assessment as required by HIPAA can lead to large penalties. HHS hopes that the SRA will improve providers’ compliance with HIPAA.

The SRA, as well as instructions and an additional description of the SRA’s features and functions, are available here. The SRA is designed as a series of questions. By answering the questions, providers will be guided through the HIPAA risk assessment process to identify security risks to protected health information. According to, the SRA contains resources with each question to help providers do the following:

  • Understand the context of the question;
  • Consider the potential impacts to your PHI if the requirement is not met; and
  • See the actual safeguard language of the HIPAA Security Rule

Note that this process will likely be time consuming as the SRA contains a total of 156 questions. However, providers do not need to complete all questions at once – the SRA permits users to save their progress and continue at a later time.

Although the SRA may seem like a miracle for some providers, the SRA contains a disclaimer that it does not guarantee compliance with federal, state, or local laws. Therefore, while HHS notes that the SRA produces a report that can be submitted to auditors, you should be aware that your use of the SRA does not guarantee that you will be protected from potential HIPAA breaches and fines. You should still consult with an experienced health care attorney for advice regarding your obligations under the law.

The Health Law Gurus™ will continue to follow issues regarding HIPAA tools and compliance.

You can read the HHS press release here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Obermayer Rebmann Maxwell & Hippel LLP | Attorney Advertising

Written by:


Obermayer Rebmann Maxwell & Hippel LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.