A new Security Risk Assessment tool is now available to helpClipboard-Checklist-List-Survey-Thinkstockyulia_lavrova-300x300 small and medium sized offices “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”* The tool, released by the Department of Health and Human Services (“HHS”), is intended to help offices comply with a requirement of the HIPAA Security Rulethat has recently seen increased enforcement penalties against health care providers. HHS also released video tutorials and a user guide for the new tool.

The tool is based on 156 yes/no questions that include explanations highlighting various issues, concerns, and possible safeguards related to each question. However, the summary reports generated by the tool are likely insufficient to document compliance with the Security Rule and it is unclear whether the tool will be useful in actually completing a Security Risk Assessment. Further, since the questions focus on administrative policies and controls, the tool may be inappropriate for smaller providers that often use more informal policies.

The tool lacks user friendliness and is only available for some PCs, iPads and in a paper version (it is incompatible with Windows 8.1, Macintosh, Linux, and Android and is difficult to use on most smaller screens).

Regardless of its limitations, the tool is a welcome attempt by HHS to tailor its previous guidance on completing a Security Risk Assessment to the needs of small and medium sized offices and provides additional information about how HHS intends to enforce the Security Rule.

 

Next Steps for Providers

At this point, particularly for small providers, we recommend using one of the numerous other templates and tools that are available to help you complete your required Security Risk Assessment. These options are often better tailored for smaller providers and can provide a clearer and more practical analysis to help effectively protect patients’ sensitive information and more clearly meet the Security Rule’s requirements.

If you any have questions about the Tool, how to complete a Security Risk Assessment, or compliance with the HIPAA Security Rule generally, please contact one of our health care attorneys.

 

More Information:

HHS Press Release: http://www.hhs.gov/news/press/2014pres/03/20140328a.html

Security Risk Assessment Tool: http://www.healthit.gov/providers-professionals/security-risk-assessment

*Located at 45 C.F.R. § 164.308(a)(1)(ii)(A). Note: this is a different HIPAA risk assessment/risk analysis from the post-breach assessment required under 45 C.F.R. § 164.402(2), which is intended to determine if there is a low probability that PHI was compromised in a possible breach.

Photo: Thinkstock/yulia_lavrova