The U.S. Department of Health and Human Services (“HHS”), in collaboration with the Office of the National Coordinator for Health Information Technology (“ONC”), recently developed a tool to assist certain health care providers with conducting security risk assessments (the “SRA Tool”) as required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  The HIPAA Security Rule requires all Covered Entities and Business Associates to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (“ePHI”) accurately and thoroughly.  The SRA Tool was created to assist certain entities with the assessment process and also to facilitate the creation of documentation that may be useful in the event of an audit.

According to the user guide, the SRA Tool is meant for practices with 1 – 10 health care providers.  It essentially translates HIPAA security requirements into question form for the user to answer, and it also generates a report that may display gaps in compliance.  Importantly, utilizing the SRA Tool does not render an entity HIPAA compliant.  Instead, use of the SRA Tool helps the entity comply with one specific HIPAA requirement and also helps to identify areas of risk that require attention.

The ONC intends to update and improve the SRA Tool over time.  Accordingly, comments regarding the SRA Tool may be submitted via http://www.HealthIT.gov/security-risk-assessment until June 2, 2014.