Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Health Privacy/HIPAA

HHS Releases Security Risk Assessment Tool

The U.S. Department of Health and Human Services (HHS) recently released a security risk assessment (SRA) tool as a resource to assist health care providers in complying with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

The Security Rule applies to HIPAA “covered entities”—which include health plans, health care clearinghouses, and most health care providers—that handle electronic protected health information (ePHI).  The Security Rule also applies to “business associates” that perform functions or services on behalf of covered entities involving ePHI.  The Rule requires covered entities and business associates to conduct a risk assessment to identify possible gaps in their information security programs in order to help ensure that patient information is protected against data breaches or other security events.

The SRA tool, developed through a collaboration between the Office of the National Coordinator for Health Information Technology (ONC), the HHS Office for Civil Rights (OCR), and the HHS Office of the General Counsel, is a downloadable application designed primarily for small and medium health care providers.

Once an entity downloads the tool, it will be guided through a series of questions regarding its administrative, technical, and physical safeguards with respect to ePHI.  The tool guides the entity through the requirements of the Security Rule and provides additional guidance materials, including additional items to consider, information about threats and vulnerabilities, and examples of safeguards.

The announcement of the SRA tool underscores the increased focus by HHS on HIPAA Security Rule enforcement.  Through audits and enforcement actions, the agency has continued to highlight the importance of risk assessments for all covered entities and business associates.  OCR is preparing for a new round of HIPAA audits in 2014 which will reach 1,200 covered entities and business associates.  Entities that have not already completed a risk assessment must do so in order to comply with the Security Rule and better understand the potential vulnerabilities they face.  Entities that have performed risk assessments should ensure that they are up to date and cover all the services or products covered by HIPAA.

Special thanks to Madeline Gitomer, an Associate in our Washington, D.C. office, for her assistance in the preparation of this entry.