On Tuesday, September 15, the U.S. Department of Health and Human Services Office of the National Coordinator (ONC), in partnership with the Office for Civil Rights (OCR), released an update to the previously published Security Risk Assessment (SRA) Tool. All covered entities and their business associates are required to perform an SRA and it is recommended these be performed on an annual basis or at the time of any material change in operations. The SRA tool provides support for small- and medium-sized health care organizations in their efforts to assess security risks, but it also helps to inform others on how OCR reviews these activities. According to the release, "the newly enhanced version of the SRA Tool includes a variety of new features like improved navigation throughout the assessment sections, export options for reports, and enhanced user interface scaling."
What is an SRA? First, it is helpful to know what it is not: An assessment of how an organization meets each of the HIPAA Security Rule requirements. An assessment is only one small step in the process of an SRA. A properly conducted SRA also includes an analysis of the risks, threats and vulnerabilities to the confidentiality, integrity and availability of protected health information. It should be performed on all systems creating, receiving, transmitting or maintaining protected health information – not just the electronic health records system.
Larger organizations (both business associates and covered entities) can benefit from reviewing these enhancements to ensure their continued understanding of how OCR will view SRAs and should use this as an opportunity to make sure the organization has an SRA that meets current expectations. Remember, the SRA is the first document requested by OCR in the case of a breach and is almost always cited as an issue in all OCR and States Attorneys' General settlement agreements.
A link to the updated SRA can be found here.