To aid small- and medium-sized practices in complying with the HIPAA Security Rule, federal officials have updated their risk assessment tool designed to help practices identify areas where electronic protected health information (ePHI) is at risk.
Version 3.4 of the HIPAA Security Risk Assessment Tool (SRA), released by the Office of the National Coordinator for Health Information Technology (ONC) and the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in September, can be downloaded at no cost. According to HHS, all ePHI “created, received, maintained, or transmitted” by a practice is subject to the HIPAA Security Rule.
While use of the tool does not mean a practice is compliant with the HIPAA Security Rule or other federal, state, or local laws and regulations, per ONC, it does assist with the rule’s requirement for practices to conduct risk assessments to ensure they are compliant with HIPAA’s administrative, physical, and technical safeguards.
Austin internist Manish Naik, MD, chair of TMA’s Committee on Health Information Technology, says the updated tool can help practices assess risk beyond what technology vendors provide.
“Some physicians believe if their technology vendors are HIPAA compliant, then they are,” he said. “But a technology-secure practice goes beyond what the technology vendors provide, and a security risk assessment will help you identify organizational weakness that can be strengthened over time.”
The new tool, compatible with desktop applications, informs users on how to complete security risk assessments through multiple-choice questions and threat evaluations. References, supplementary guidance, and risk-assessment reports are available to save and print after the assessment is completed.
Version 3.4 contains several key updates based on user feedback, including:
A remediation report, which allows users to log efforts taken by their practice to address risks.
A new glossary and tips section, where users can learn more information about risk assessments and the tool’s features.
Bug fixes, usability enhancements, and references to the 2023 edition of the Health Industry Cybersecurity Practices publication.
To learn more about how the SRA tool and risk analysis can help your practice, see OCR’s official guidance.
To learn more about HIPAA requirements, visit TMA’s comprehensive HIPAA resource page.