On March 28, the U.S. Department of Health and Human Services (HHS) announced the release of a new security risk assessment (SRA) tool to help small healthcare providers conduct and document risk assessments, as required by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. As more fully discussed here, HHS has recently become more aggressive in investigating and fining providers that suffer breaches of patient information, particularly when those providers had not, in HHS’s view, properly assessed potential weaknesses in their security policies, processes and systems.

The new SRA tool is a software application consisting of 156 “yes” or “no” questions which cover each HIPAA requirement, including the need for appropriate administrative, technical and physical safeguards for patient information. By answering the questions about an organization’s activities, the user can determine whether corrective action is necessary in order to comply with HIPAA. The tool is available for Windows operating systems and iPads. The Windows version may be downloaded at the government’s HealthIT.gov website, and the iPad version is available from the Apple App Store. A paper-based version of the tool is also available at HealthIT.gov, along with a user guide and video tutorial. 

The HIPAA Security Rule does not require that providers use the new tool, but HHS believes that it will assist providers and professionals as they perform risk assessments. Since the failure to perform a thorough risk assessment may be interpreted as willful noncompliance with HIPAA, potentially resulting in greater penalties in the event of a data breach, most providers would be wise to use the tool.  If a provider documents its use of the tool and makes any necessary policy and procedure changes that the tool dictates, the provider may be able to reduce its potential exposure.