Late last week, the HHS Office for Civil Rights (OCR) and Office of the
National Coordinator for Health Information Technology (ONC) released a
security risk assessment (SRA) tool designed to help health care providers conduct risk assessments as
required by the HIPAA Security Rule.
Under the Security Rule, health care providers must perform risk
assessments to evaluate the security of their electronic protected health
information (ePHI), and then implement reasonable and appropriate safeguards
that may be necessary to reduce and manage the risk and to protect ePHI. While the Security Rule does not dictate the
frequency of such risk assessments, providers participating in CMS’s Electronic
Health Records (EHR) Incentive Program must conduct a risk assessment every
year in order to meet Meaningful Use standards.
As we have previously written,
participants in the EHR Incentive Program may be penalized for failing to
conduct an annual risk assessment.
The Security Rule requires health care providers to implement
administrative, physical and technical safeguards to protect the
confidentiality, integrity and availability of all ePHI the organization
creates, receives, maintains or transmits.
Providers must protect against any reasonably anticipated threats or
hazards to the security or integrity of ePHI, and against reasonably
anticipated uses or disclosures of ePHI that are not permitted or
required. These provisions of the
Security Rule necessitate that providers understand the potential risks to the
ePHI they hold. Thus, under the Security
Rule, health care providers must perform (and document) risk assessments to
evaluate the potential risks to their ePHI, the safeguards they have in place,
and additional measures that may be necessary to comply with the Rule.
The Security Rule is designed to be flexible and scalable. Once the risks are identified, health care
providers may use any security measures that allow them to reasonably and
appropriately implement HIPAA standards, manage their risks, and protect ePHI. When considering which security measures to
implement, the provider must consider four factors: (1) the provider’s size,
complexity, and capabilities; (2) the provider’s technical infrastructure,
hardware, and software security capabilities; (3) the cost of the security
measure; and (4) the probability and criticality of potential risks to ePHI.
The SRA tool focuses on small to medium sized health care providers to
help them develop security measures appropriate to their size and
resources. The tool guides providers
through each of the Security Rule standards and offers guidance on each
standard to help identify potential threats, vulnerabilities and impacts in a
provider’s current security system. The
tool also offers examples of safeguards that providers may be able to implement
to address the risks and to further protect the confidentiality, integrity and
availability of ePHI they have created, received, maintained or received. Providers are able to make notes in the tool
to document how they currently meet a standard and whether and how they will
implement the standard in the future.
The tool will generate a report indicating the provider’s risk levels
based on the answers provided.
A risk assessment can help identify vulnerabilities in an
organization’s security systems before a breach happens – and the areas in
which additional safeguards may be needed to reasonably and appropriately
safeguard its ePHI. When investigating a
breach, OCR may impose higher civil monetary penalties (or seek higher
resolution amounts for settlement) if it finds the entity has failed to conduct
a risk assessment.
HHS will be accepting comments on the tool until June 2. Comments will inform future updates to the