Changes to the Security Risk Assessment (SRA) Tool Require Attention

Baker Ober Health Law

Baker Ober Health Law

The HHS Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) released an updated Security Risk Assessment (SRA) Tool this week. All covered entities and business associates must review this updated tool to ensure they are addressing the risks identified by OCR and ONC. An enterprise-wide SRA is not only a requirement of the HIPAA Security Rule, it is a foundational process designed to identify and mitigate security concerns for information systems to prevent costly data breaches whenever possible.

What is an SRA? First, it is helpful to know what it is not: It is not an assessment of how an organization meets each of the HIPAA Security Rule requirements. An assessment is only one small step in the process of an SRA; a properly conducted SRA also includes an analysis of the risks, threats and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (PHI). This information is then analyzed across all information systems with PHI to the likelihood of the harm and the potential risk (high, medium or low).

While the OCR/ONC SRA Tool was designed for use by small to medium-sized health care practices – those with one to ten health care providers – covered entities and business associates should consider reviewing the Tool to help them ascertain the kinds of risks and vulnerabilities to ePHI that OCR has identified. The updated tool provides enhanced functionality to document how organizations can implement or plan to implement appropriate security measures to protect ePHI. New features include but are not limited to a progress tracker, detailed reporting, and business associate and asset tracking.

Larger organizations (both business associates and covered entities) can benefit from reviewing these enhancements to ensure their continued understanding of how OCR will view SRAs and should use this as an opportunity to make sure the organization has an SRA that meets current expectations. Remember, the SRA is the first document requested by OCR in the case of a breach and is almost always cited as an issue in all OCR and States Attorneys' General settlement agreements.

A link to the updated SRA can be found here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Baker Ober Health Law | Attorney Advertising

Written by:

Baker Ober Health Law

Baker Ober Health Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.