What’s Happening?

The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), recently released a jointly developed tool designed to assist small and medium sized practices (one to ten healthcare providers) in conducting  security risk assessments (the “SRA Tool”). This tool can be found at http://www.healthit.gov/providers-professionals/security-risk-assessment-tool.

The HIPAA Security Rule mandates that covered entities and business associates assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of the electronic PHI they hold and take appropriate measures to minimize those risks and vulnerabilities.  These steps are a crucial part of an entity’s Security Management Process and considered by HHS to “form the foundation upon which an entity’s necessary security activities are built.”

The Rule does not specifically outline the steps entities should take in conducting a risk analysis or dictate how often it should be done.  In previous guidance, HHS indicated that covered entities could use, but were not required to use, any of the National Institute of Standards and Technology (“NIST”) publications, such as SP 800-30 – “Risk Management for Information Technology Systems.”  Others have used the OCR Audit Program Protocol to guide them in conducting risk assessments or developed home grown tools. 

Use of the SRA Tool is not required by the Security Rule or by OCR, nor does it guarantee compliance with HIPAA or state privacy and security laws.  The purpose of this specific tool is to “assist healthcare practices in performing and documenting a Security Risk Assessment.”  Although small to medium practices are the target audience, larger organizations or practices can benefit from viewing the tool and tailoring it to their specific needs. The tool does not include provisions to assess for compliance with the Privacy Rule.

As represented, the tool is a “self-contained, operating system (OS) independent application that can be run on various environments including Windows OS’s for desktop and laptop computers and Apple’s iOS for iPad only” (which can be downloaded from Apple’s App Store at no cost – “HHS SRA Tool”).  The tool walks the user through each HIPAA requirement and asks questions about what the provider is doing to meet those requirements.  For example:

A1 – §164.308(a)(1)(i)  Standard – Does your practice develop, document, and implement policies and procedures for assessing and managing risk to its Electronic Protected Health Information (ePHI)?

Answer:  Yes or No

If no, please select from the following:  Cost, Practice Size, Complexity, Alternate Solution.   Please detail your current activities.  Please include any additional notes.  Please detail your remediation plan.

The user is invited to judge the likelihood that a particular threat could affect the practice’s ePHI and to rate the impact or level of harm that could occur if the standard or requirement stated in the question is not met.

There are a total of 156 questions in the SRA Tool.  The tool includes additional information to help the user understand and answer the questions, such as “Things to Consider,” Threats and Vulnerabilities,” and “Examples of Safeguards.”

Answers to the questions will ultimately appear in a risk assessment report.  The information entered by the user into the SRA Tool, and the report itself, are not shared (by the App) with the OCR or any other person/organization, but are solely intended for the practice.  The OCR recommends securing the downloaded tool (and user responses) by “password protecting or encrypting the folder where it will be stored.”

Questions to Consider

  • Will the ONC/OCR develop a Risk Assessment tool for larger providers and business associates?
  • Why do you think they focused on small to medium practices?
  • Have you tried to download and use the App?