A new version of the Security Risk Assessment tool has been released by the Department of Health and Human Services’ the Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC). In 2014, the two offices worked in combination to develop the SRA tool to assist relatively small sized healthcare practitioners and their business associates to conduct comprehensive Security Risk Assessments.
Security Risk Assessments are a crucial part of compliance to the HIPAA Security Rule. The HIPAA Security Rule mandates HIPAA-regulated entities to conduct a thorough, extensive risk analysis to help determine the threats to the privacy, integrity, and accessibility of the electronic protected health information (ePHI) they manage. The results of the risk analysis will help the entity to identify and implement the most suitable and effective administrative, physical, and technical safeguards to secure ePHI. The entity will also assist the entity to evaluate whether they are in compliance with the required safeguards of the HIPAA Security Rule. The OCR regularly takes enforcement action against healthcare organizations who do not conduct sufficient risk assessments. Punishment can include hefty financial penalties.
The SRA tool can be used by HIPAA-regulated entities as a guide for the risk assessment process. The SRA tool is a cost free downloadable desktop application that uses a simple, wizard-based approach. Users are guided through the process using multiple choice questions, threat and vulnerability assessments, asset and vendor management, and other tasks. The tool has received several revisions since its launch. The latest update includes various feature advancements, including the adoption of Health Industry Cybersecurity Practices references, bug fixes, and file association in Windows.
In addition, the OCR and ONC have also launched the SRA Tool in Excel Workbook. The tool consists of the same content as the Windows version. However, it is presented in a recognizable spreadsheet format. The Excel Workbook version is intended to replace the “Paper Version”, in addition to offer access to users who do not have Microsoft Windows.
The government has advised that the SRA tool is only applicable to smaller providers, not to larger organizations. It is also crucial to note that the SRA tool does not ensure full HIPAA compliance. If there is any question about a healthcare organization’s compliance with HIPAA, it is advisable that they consult with HIPAA compliance specialists.