Getty Images

HIPAA Compliance: ONC Updates Security Risk Assessment Tool

The Security Risk Assessment (SRA) tool was designed in collaboration between ONC and OCR and is designed to help healthcare entities ensure compliance with HIPAA safeguards.

The Office of the National Coordinator (ONC) in collaboration with the Office of Civil Rights released an update to the Department of Health and Human Services Security Risk Assessment Tool designed to support small- and medium-sized healthcare providers ensure HIPAA compliance. 

Updates to the SRA tool include various new features, such as improved navigation throughout the assessment sections, export options for reports, and enhanced user interface scaling. 

Under HIPAA, covered entities and their business associates are required to perform a risk assessment to assess compliance with HIPAA’s administrative, physical, and technical safeguards. An effective analysis will reveal potential security gaps that could put protected health information at risk. 

Industry stakeholders have also reminded organizations that risk assessments and analyses are crucial to any resilient healthcare information security program.

To help organizations with limited security resources, ONC and OCR developed a downloadable SRA tool to support healthcare entities with the risk assessment process as required by HIPAA and the Centers for Medicare and Medicaid Service Electronic Health Record Incentive Program. 

In November 2019, ONC reminded organizations of the tool’s benefits. Last updated in 2018, the free resource includes an enhanced user interface, custom assessment logic, modular workflows, progress tracker, detailed reports, and ratings of threats and vulnerabilities. 

ONC previously added a business associate and asset tracking tool, a challenge for many healthcare providers. The SRA covers four key areas, such as identifying potential threats and vulnerabilities to electronic PHI that includes weak login points and potential cyberattacks. 

The tool can also be used to inform a provider organization’s development of mitigation plans and help with the review of all electronic devices that interact with ePHI, through a function that documents the risk identification and analysis process, including vulnerability scans or site walk-throughs. 

“All information entered into the SRA Tool is stored locally to the users’ computer or tablet. HHS does not receive, collect, view, store or transmit any information entered in the SRA Tool,” officials reminded entities.  

“The results of the assessment are displayed in a report which can be used to determine risks in policies, processes and systems and methods to mitigate weaknesses are provided as the user is performing the assessment,” they added. “The target audience of this tool is medium and small providers. Thus, use of this tool may not be appropriate for larger organizations.” 

The release comes on the heels of insights from OCR that spotlighted best practice IT asset inventory steps, which can help healthcare entities improve risk analyses as required by HIPAA. Officials reminded organizations that risk analyses are HIPAA-required – but also fundamental to “identifying and implementing safeguards that comply with and carry out the Security Rule standards and implementation specifications. 

As seen in multiple OCR settlements over potential HIPAA violations, a lack of a risk assessment can prove costly. 

For example, the Texas Health and Human Services Commission paid a civil monetary penalty of $1.3 million in 2019, while Touchstone Medical Imaging settled with OCR for $3 million -- both for failing to conduct a risk analysis, among other potential HIPAA violations.  

The updated SRA tool page also includes other valuable resources for healthcare entities performing risk analyses. Given a Netwrix report revealed the majority of healthcare providers are overconfident in their ability to control data sharing and data storage security mechanisms, security leaders should consider reviewing these tools.

Next Steps

Dig Deeper on HIPAA compliance and regulation