Under the HIPAA Security Rule, a covered entity or business associate must perform risk assessments to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. Failing to conduct risk assessments is a common basis for significant fines.
Risk assessments, however, can be a taunting task, particularly for smaller organizations with limited resources. In an effort to help organizations perform risk assessments and comply with the HIPAA Security Rule, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool.
The SRA Tool is designed for small to medium sized health care practices (up to 10 health care providers) and business associates to help them identify ePHI risks and vulnerabilities.
Some of the improvements include:
- Enhanced User Interface and Overall Experience;
- Progress Tracker;
- Improved Threats & Vulnerabilities Rating;
- Detailed Reports; and
- Business Associate and Asset Tracking.
Importantly, use of the SRA Tool is not required by HIPAA and using it alone does not guarantee HIPAA Security Rule compliance. However, the tool may help organizations (particularly smaller ones) comply with the HIPAA Security Rule requirement to conduct periodic security risk assessments.