The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), Office of the National Coordinator for Health Information Technology (ONC), and Office of the General Counsel (OGC), have released their Security Risk Assessment (SRA) tool. The SRA tool is designed to assist Covered Entities and their Business Associates (BA) ensure compliance with the HIPAA Security Rule’s requirements that they establish administrative, physical, and technical safeguards for electronic protected health information (ePHI). A thorough risk assessment should reveal areas where an organization’s ePHI may be at risk and head off breaches or other security incidents.
This SRA tool is geared toward small- to medium-sized Covered Entity health care providers but serves as a useful guide for all Covered Entities and BAs regulated by the HIPAA Security Rule. The tool serves as a local repository for security-related information and does not send data outside of a Covered Entity or BA but provides a report that an entity can share with its security auditors.
You can download the tool here; view training/tutorial videos here; access the use guide here; and review OCR’s press release here. The SRA Tool is a self-contained application that can be run on various environments including Windows Operating Systems for desktop and laptop computers and Apple’s iOS (for iPad only).
Regulated industry should be careful to distinguish this broader Risk “Assessment” – often referred to by HHS as a Risk “Analysis” – from the four-factor Risk Assessment required in order to determine whether an impermissible use or disclosure of PHI constitutes a breach under HHS’s January 2013 omnibus rulemaking (previously a “risk of harm” analysis under the 2009 Interim Final Rule).