The U.S. Department of Health and Human Services (HHS) recently released a security risk assessment (SRA) tool as a resource to assist health care providers in complying with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
The Security Rule applies to HIPAA “covered entities”—which include health plans, health care clearinghouses, and most health care providers—that handle electronic protected health information (ePHI). The Security Rule also applies to “business associates” that perform functions or services on behalf of covered entities involving ePHI. The Rule requires covered entities and business associates to conduct a risk assessment to identify possible gaps in their information security programs in order to help ensure that patient information is protected against data breaches or other security events.