On March 28, 2014, the U.S. Department of Health and Human Services (“HHS”) announced the release of a security risk assessment (“SRA”) tool to assist small- to mid-sized providers in conducting risk assessments of their organizations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule.  With Security Rule enforcement on the rise, providers should be aware of and take advantage of federal government resources to maintain compliance. 

The HIPAA Security Rule requires that covered entities and business associates conduct assessments of potential risks and vulnerabilities to electronic protected health information (“ePHI”) held by the covered entity or business associate and implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.  Conducting a risk assessment is also a requirement of the Medicare and Medicaid EHR incentive programs.

The SRA tool was developed by the HHS Office of the National Coordinator for Health Information Technology (“ONC’) and Office for Civil Rights (“OCR”).  The SRA tool is a software application available for Windows desktop and laptop computers as well as Apple iOS iPads that helps small- to mid-sized providers conduct and document risk assessments of their organizations.  There is also a paper form of the tool available for download.  The link for the SRA tool is http://www.healthit.gov/providers-professionals/security-risk-assessment-tool.  The SRA first asks users to enter information about their organization and business associates.  It then walks users through each Security Rule requirement and asks the user to answer questions regarding compliance.  The user may document answers and comments directly into the tool, which, according to the SRA tool website, are stored locally and the data is not sent anywhere else.  The ONC is requesting that users of the SRA tool provide feedback on their experiences through June 2, 2014.

Once a provider completes the SRA, the provider may have additional tasks to complete to ensure compliance.  The assessment is the first step, albeit an important one.  Providers should use the knowledge gained from the assessment to make appropriate enhancements to ensure compliance.

Compliance with the Security Rule is important for providers.  The OCR has been particularly active in Security Rule enforcement actions recently.  Just last month Skagit County, Washington agreed to a $215,000 fine due, in part, to failing to implement sufficient Security Rule policies and procedures.  With the increasing reliance on electronic systems by health care providers, it is anticipated that enforcement actions will continue.

The government cautions that use of the SRA tool does not guarantee compliance with HIPAA or any other law, nor is it applicable to Privacy Rule compliance.  Notwithstanding the cautions, the SRA tool could be helpful for smaller providers who may struggle with conducting risk assessments of their organizations.