HHS Releases Update to Security Risk Assessment Tool

Baker Ober Health Law

Baker Ober Health Law

On Tuesday, September 15, the U.S. Department of Health and Human Services Office of the National Coordinator (ONC), in partnership with the Office for Civil Rights (OCR), released an update to the previously published Security Risk Assessment (SRA) Tool. All covered entities and their business associates are required to perform an SRA and it is recommended these be performed on an annual basis or at the time of any material change in operations. The SRA tool provides support for small- and medium-sized health care organizations in their efforts to assess security risks, but it also helps to inform others on how OCR reviews these activities. According to the release, "the newly enhanced version of the SRA Tool includes a variety of new features like improved navigation throughout the assessment sections, export options for reports, and enhanced user interface scaling."

What is an SRA? First, it is helpful to know what it is not: An assessment of how an organization meets each of the HIPAA Security Rule requirements. An assessment is only one small step in the process of an SRA. A properly conducted SRA also includes an analysis of the risks, threats and vulnerabilities to the confidentiality, integrity and availability of protected health information. It should be performed on all systems creating, receiving, transmitting or maintaining protected health information – not just the electronic health records system.

Larger organizations (both business associates and covered entities) can benefit from reviewing these enhancements to ensure their continued understanding of how OCR will view SRAs and should use this as an opportunity to make sure the organization has an SRA that meets current expectations. Remember, the SRA is the first document requested by OCR in the case of a breach and is almost always cited as an issue in all OCR and States Attorneys' General settlement agreements.

A link to the updated SRA can be found here

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Baker Ober Health Law | Attorney Advertising

Written by:

Baker Ober Health Law

Baker Ober Health Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.