The Department of Health & Human Services Office of Civil Rights (OCR), which enforces HIPAA, recently released a Security Risk Assessment (“SRA”) Tool to help providers comply with the HIPAA Security Rule. Security risk assessments are required by the HIPAA Security Rule, and are also required for providers hoping to receive payments through the Meaningful Use Program for EHR.
The HIPAA Security Rule requires covered entities and business associates to assess whether their administrative, physical and technical safeguards sufficiently protect the security of their PHI. The OCR’s SRA Tool, available for download here, walks the user through each safeguard, and is designed to help users assess each security standards and identify remediation needed. The OCR states that the SRA Tool does not transmit user information to the government.
No more excuses!
The OCR created a tool to help providers comply with the Security Rule and is making it available free of charge. This likely raises expectations for covered entities and business associates who haven’t gotten around to conducting a HIPAA Security Risk Assessment and implement security policies and procedures. Now that the government has made it really easy to conduct an assessment, the government is unlikely to be sympathetic to entities who continue to ignore this requirement.
Proceed with caution…
The SRA Tool can help you evaluate HIPAA Security safeguards, and the extent to which your organization has addressed them. However, all covered entities and business associates must also conduct an analysis of the potential risks and vulnerabilities to each type and source of ePHI in their organization. The SRA Tool does not walk the user through this analysis. MPA recommends that covered entities and business associates supplement their HIPAA Security assessment with an inventory of ePHI, and an evaluation of the risks and threats to each.
For more information about HIPAA compliance, see MPA’s HIPAA Guidance page.