HHS Releases HIPAA Security Risk Assessment Tool

April 14, 2014
Health Care Alert

Recognizing the challenges facing providers in conducting risk assessment under HIPAA, the federal Department of Health and Human Services has released a security risk assessment tool (the "SRA") to help providers with HIPAA compliance.

The SRA is the result of a collaborative effort by the HHS Office of the National Coordinator for Health Information Technology and Office for Civil Rights, and is particularly designed for providers in small- to medium-sized offices to help them conduct and document a security risk assessment under HIPAA in a thorough, organized fashion. The tool, which is available as an application for Windows and for iOS iPads, also produces a report that can be provided to auditors. The Windows version is available for downloading at www.HealthIT.gov/security-risk-assessment and the iOS iPad version is available from the Apple App Store (search for "HHS SRA tool").

Under HIPAA, covered entities and business associates must conduct regular risk assessments of the administrative, physical and technical safeguards they have in place to protect the security of protected health information. Risk assessments can help providers uncover potential weaknesses in their security policies, processes and systems and hopefully anticipate and prevent health data breaches and other adverse security events. Risk assessment is a key requirement of the HIPAA Security Rule and a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, also known as the Meaningful Use Program. If you are a provider, in order to comply with HIPAA, it is essential that you conduct risk assessments and document your results. Once you have identified gaps and vulnerabilities, you should take whatever steps are required to address the gaps and vulnerabilities identified, and document what you have done to address those issues. As software and hardware are added and new issues identified, you should also conduct a similar process. The risk assessment is not a one-time action, but is an ongoing process that should become part of your operations.

The security risk assessment tool's website contains a User Guide and Tutorial video to help you begin using the risk assessment tool. The website also includes videos on risk analysis and contingency planning.

Public comments on the SRA tool will be accepted at http://www.HealthIT.gov/security-risk-assessment until June 2, 2014.

The HIPAA risk assessment process can be daunting. To assist you in conducting the risk assessment and advise you on compliance with HIPAA, it is important to assemble a team of IT experts and experienced legal counsel. Hinshaw attorneys are ready and willing to assist you.

Should you have questions or need further information, please contact Michael Dowell in our Los Angeles office or your regular Hinshaw attorney.

This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.