Many thanks once again to our colleague, Sylvia Brown, for her assistance in authoring this post.

The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR), recently released a security risk asessment tool (SRA Tool) to assist entities in complying with the HIPAA Security Rule. 

As we have discussed previously (most recently here and here), the Security Rule requires entities (both covered entities and business associates) to conduct a risk assessment of their administrative, physical, and technical safeguards on a regular basis.  To facilitate this risk assessment, the SRA Tool walks the user through each HIPAA requirement by presenting 156 questions targeted at the entity’s security practices.  An affirmative or negative answer will prompt a response from the SRA Tool indicating whether the entity needs to take corrective action for that particular item.  The SRA Tool contains resources to help the entity assess the potential impact to its PHI if a requirement is not met.

 The tool was developed as a self-contained, operating system independent application that can be run on various environments, such as laptops, desktops and tablets.  Although users may document responses and risk remediation plans directly into the SRA Tool, the SRA Tool does not transmit the data outside of the tool’s environment.  Paper copies of the SRA Tool are also available.  Entities can learn more about the SRA Tool by watching a video of how it operates.

Entities should note that the SRA Tool does not do away with or otherwise limit any HIPAA compliance obligation, and HHS does not guarantee that use of the tool will ensure compliance with the law.  HHS’ intent in releasing this tool is to provide an additional resource to help entities assess the security practices of their organizations.  Therefore, entities should view the SRA Tool as an another arrow in its HIPAA compliance quiver that can be used in identifying and correcting organizational security risks.  Depending on the complexity of the risk, legal counsel should be consulted, as the penalties for non-compliance are significant.