HHS releases HIPAA risk assessment tool


The US Department of Health and Human Services has released a new security risk assessment tool to help providers with HIPAA compliance.

The security risk assessment (SRA) tool is targeted at healthcare providers in small to medium sized offices.

The result of a collaborative effort by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR), it is designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

HIPAA requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information.

By conducting these risk assessments, healthcare providers can uncover potential weaknesses in their security policies, processes and systems.  Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data.

Conducting a security risk assessment is a key requirement of the HIPAA Security Rule and a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, commonly known as the Meaningful Use Program.

“Protecting patients’ protected health information is important to all healthcare providers and the new tool we are releasing today will help them assess the security of their organizations,” said Dr Karen DeSalvo, national coordinator for health information technology.

“The SRA tool and its additional resources have been designed to help healthcare providers conduct a risk assessment to support better security for patient health data.”

“We are pleased to have collaborated with the ONC on this project,” added Susan McAndrew, deputy director of OCR’s division of health information privacy. “We believe this tool will greatly assist providers in performing a risk assessment to meet their obligations under the HIPAA Security Rule.”

The SRA tool’s website contains a user guide and tutorial video to help providers begin using the tool. Videos on risk analysis and contingency planning are available at the website to provide further context.

US Department of Health and Human Services, HIPAA, ONC, OCR, Karen DeSalvo, US, Susan McAndrew, SRA