The U.S. Department of Health and Human Services (“HHS”), in collaboration with the Office of the National Coordinator for Health Information Technology (“ONC”), recently developed a tool to assist certain health care providers with conducting security risk assessments (the “SRA Tool”) as required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  The HIPAA Security Rule requires all Covered Entities and Business Associates to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (“ePHI”) accurately and thoroughly.  The SRA Tool was created to assist certain entities with the assessment process and also to facilitate the creation of documentation that may be useful in the event of an audit.

According to the user guide, the SRA Tool is meant for practices with 1 – 10 health care providers.  It essentially translates HIPAA security requirements into question form for the user to answer, and it also generates a report that may display gaps in compliance.  Importantly, utilizing the SRA Tool does not render an entity HIPAA compliant.  Instead, use of the SRA Tool helps the entity comply with one specific HIPAA requirement and also helps to identify areas of risk that require attention.

The ONC intends to update and improve the SRA Tool over time.  Accordingly, comments regarding the SRA Tool may be submitted via http://www.HealthIT.gov/security-risk-assessment until June 2, 2014.

Posted by Leah Roffman

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s