The HIPAA Security Rule requires HIPAA-regulated entities to conduct a security risk assessment to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. Despite its importance, many HIPAA-covered entities struggle with risk assessments and risk assessment/analysis failures are among the most common types of HIPAA violations.
The aim of a security risk assessment is to identify risks and vulnerabilities to ePHI to allow them to be effectively managed and reduced to an acceptable level. A security risk assessment can also help HIPAA-regulated entities determine if they are compliant with the administrative, physical, and technical safeguards of the HIPAA Security Rule.
To help small- and medium-sized HIPAA-regulated entities with this aspect of Security Rule compliance, the Department of Health and Human Services (HHS)’ Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) jointly developed the HHS Security Risk Assessment (SRA) Tool. This week, ONC and OCR announced that an updated version of the Tool – version 3.3 – has been released. The new and improved SRA Tool includes several feature enhancements that have been made in response to public comments and feedback from users.
The SRA Tool is a downloadable application for Windows that guides users through the risk assessment process. The SRA Tool uses a wizard format, includes multiple-choice questions, threat and vulnerability assessments, and asset and vendor management, and will generate reports that can be saved or printed.
While the SRA Tool can help organizations with their security risk assessments, use of the SRA Tool does not guarantee compliance with federal, state, or local laws. The HHS says the tool “is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks,” and may not be appropriate for larger healthcare organizations, although it is very useful, especially for organizations unfamiliar with conducting risk assessments.
A companion paper version of the SRA Tool was released that could be used by HIPAA-regulated entities that do not have access to Windows devices. ONC and OCR have announced that a new SRA Tool Excel Workbook has now been made available to replace the legacy paper version of the Tool. The Excel Workbook uses conditional formatting and formulas to calculate and help identify risks in a similar fashion to the SRA Tool application.