HHS Updates the HIPAA Security Risk Assessment Tool
The HHS’ Office for Civil Rights (OCR) in conjunction with the Assistant Secretary for Technology Policy (ASTP) has released an updated version of the Security Risk Assessment (SRA) Tool.
OCR’s investigations of large data breaches have revealed the risk analysis to be one of the most commonly identified HIPAA noncompliance issues. Investigations have often uncovered a failure to conduct a HIPAA risk assessment to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) and incomplete risk analyses, where a HIPAA-regulated entity has failed to conduct a comprehensive and accurate risk analysis covering all ePHI and systems that touch ePHI.
The risk analysis is one of the most important activities in cybersecurity and is vital for HIPAA compliance, not just compliance with the risk analysis implementation specification but several other HIPAA Security Rule requirements. The SRA tool was released to help small- and medium-sized healthcare organizations identify risks and vulnerabilities to ePHI allowing them to take action to address risks to improve their security posture.
The SRA tool is a desktop application that guides HIPAA-regulated entities through the risk assessment process by asking a series of multiple choice questions to help them identify risks and vulnerabilities to ePHI. Any identified risks should then be reduced to a reasonable and appropriate level.
The latest version of the SRA Tool – version 3.5 – includes several enhancements based on feedback received from users of the previous version of the tool, incorporates the latest cybersecurity guidance, and includes content improvements and bug fixes.
The updated SRA Tool incorporates references to the NIST Cybersecurity Framework (CSF) 2.0, which replaced version 1.1 of the NIST CSF, references to the Healthcare and Public Health (HPH) Cybersecurity Performance Goals (CPGs) announced by OCR in January 2024, and new content on supply chain risks. The instructions and guidance on the use of the tool have also been updated in the new version.
OCR has launched an enforcement initiative focused on compliance with the risk analysis implementation of the HIPAA Security Rule and has already announced the first financial penalty for noncompliance with this foundational cybersecurity activity.