Late last week, the HHS Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) released a security risk assessment (SRA) tool designed to help health care providers conduct risk assessments as required by the HIPAA Security Rule.  Under the Security Rule, health care providers must perform risk assessments to evaluate the security of their electronic protected health information (ePHI), and then implement reasonable and appropriate safeguards that may be necessary to reduce and manage the risk and to protect ePHI.  While the Security Rule does not dictate the frequency of such risk assessments, providers participating in CMS’s Electronic Health Records (EHR) Incentive Program must conduct a risk assessment every year in order to meet Meaningful Use standards.  As we have previously written, participants in the EHR Incentive Program may be penalized for failing to conduct an annual risk assessment.

The Security Rule requires health care providers to implement administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of all ePHI the organization creates, receives, maintains or transmits.  Providers must protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, and against reasonably anticipated uses or disclosures of ePHI that are not permitted or required.  These provisions of the Security Rule necessitate that providers understand the potential risks to the ePHI they hold.  Thus, under the Security Rule, health care providers must perform (and document) risk assessments to evaluate the potential risks to their ePHI, the safeguards they have in place, and additional measures that may be necessary to comply with the Rule.

The Security Rule is designed to be flexible and scalable.  Once the risks are identified, health care providers may use any security measures that allow them to reasonably and appropriately implement HIPAA standards, manage their risks, and protect ePHI.  When considering which security measures to implement, the provider must consider four factors: (1) the provider’s size, complexity, and capabilities; (2) the provider’s technical infrastructure, hardware, and software security capabilities; (3) the cost of the security measure; and (4) the probability and criticality of potential risks to ePHI.

The SRA tool focuses on small to medium sized health care providers to help them develop security measures appropriate to their size and resources.  The tool guides providers through each of the Security Rule standards and offers guidance on each standard to help identify potential threats, vulnerabilities and impacts in a provider’s current security system.  The tool also offers examples of safeguards that providers may be able to implement to address the risks and to further protect the confidentiality, integrity and availability of ePHI they have created, received, maintained or received.  Providers are able to make notes in the tool to document how they currently meet a standard and whether and how they will implement the standard in the future.  The tool will generate a report indicating the provider’s risk levels based on the answers provided. 

A risk assessment can help identify vulnerabilities in an organization’s security systems before a breach happens – and the areas in which additional safeguards may be needed to reasonably and appropriately safeguard its ePHI.  When investigating a breach, OCR may impose higher civil monetary penalties (or seek higher resolution amounts for settlement) if it finds the entity has failed to conduct a risk assessment.

HHS will be accepting comments on the tool until June 2.  Comments will inform future updates to the tool.