Today, the U.S. Department of Health and Human Services (HHS) released a new security risk assessment (SRA) tool to help health care providers in small to medium sized offices conduct HIPAA Security Rule risk assessments. Conducting a security risk assessment is a key requirement of the HIPAA Security Rule and a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, commonly known as the Meaningful Use Program. By conducting these risk assessments, health care providers can uncover potential weaknesses in their security policies, processes and systems. Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data.

The SRA tool is designed to help practices internally conduct and document a risk assessment in a thorough, organized fashion by allowing them to assess the information security risks in their organizations. You can save the information on your own system. The tool is available for downloading at http://www.healthit.gov/providers-professionals/security-risk-assessment-tool. The SRA takes providers through a tutorial of the same issues that would be addressed in an audit (but here, you can evaluate the questions yourself before you have to answer them in an audit). As you go through the SRA tutorial, you will answer questions about each of the regulatory sections. For each question, you can document your answers, comments, and risk remediation plans directly into the SRA tool. The SRA tool also produces a report and serves as your local repository for the information. The tool does not send your data anywhere else. However, if you answer “no,” or cannot answer a question that applies to your practice, the issue should be flagged and a plan of action should be implemented and documented immediately.

Please contact Wayne Kinkade or David Briggs of our Health Law Group if we can be of assistance.