HHS Releases Updated HIPAA Risk Assessment Tool

The U.S. Department of Health and Human Services (HHS) recently released a new version of its security risk assessment (SRA) tool that helps smaller healthcare providers conduct and document risk assessments, as required by the HIPAA Security Rule. The update incorporates new features to make the tool more user-friendly.

The SRA tool, available on HHS’s HealthIT.gov website, is a software application covering each HIPAA requirement, including the need for appropriate administrative, technical and physical safeguards for patient information. By answering the questions about an organization’s activities, the user can determine whether corrective action is necessary in order to comply with HIPAA. The revised version of the tool is available only for Windows operating systems, but the unrevised iPad version remains available from the Apple App Store.

When investigating providers that suffer data breaches, HHS’s Office for Civil Rights (OCR) often imposes harsher penalties upon those providers that, in OCR’s view, failed to properly assess potential weaknesses in their security policies, processes and systems. Providers are not required to use the SRA tool but those that do, and that make any necessary policy and procedure changes that the tool helps them identify, may be able to reduce their potential exposure in the event of a breach.