HHS Updates the HIPAA Security Risk Assessment Tool

healthcare cybersecurity mitigation guide

The HHS’ Office for Civil Rights (OCR) in conjunction with the Assistant Secretary for Technology Policy (ASTP) has released an updated version of the Security Risk Assessment (SRA) Tool.

OCR’s investigations of large data breaches have revealed the risk analysis to be one of the most commonly identified HIPAA noncompliance issues. Investigations have often uncovered a failure to conduct a HIPAA risk assessment to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) and incomplete risk analyses, where a HIPAA-regulated entity has failed to conduct a comprehensive and accurate risk analysis covering all ePHI and systems that touch ePHI.

The risk analysis is one of the most important activities in cybersecurity and is vital for HIPAA compliance, not just compliance with the risk analysis implementation specification but several other HIPAA Security Rule requirements. The SRA tool was released to help small- and medium-sized healthcare organizations identify risks and vulnerabilities to ePHI allowing them to take action to address risks to improve their security posture.

The SRA tool is a desktop application that guides HIPAA-regulated entities through the risk assessment process by asking a series of multiple choice questions to help them identify risks and vulnerabilities to ePHI. Any identified risks should then be reduced to a reasonable and appropriate level.

The latest version of the SRA Tool – version 3.5 – includes several enhancements based on feedback received from users of the previous version of the tool, incorporates the latest cybersecurity guidance, and includes content improvements and bug fixes.

The updated SRA Tool incorporates references to the NIST Cybersecurity Framework (CSF) 2.0, which replaced version 1.1 of the NIST CSF, references to the Healthcare and Public Health (HPH) Cybersecurity Performance Goals (CPGs) announced by OCR in January 2024, and new content on supply chain risks. The instructions and guidance on the use of the tool have also been updated in the new version.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

OCR has launched an enforcement initiative focused on compliance with the risk analysis implementation of the HIPAA Security Rule and has already announced the first financial penalty for noncompliance with this foundational cybersecurity activity.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/