The Department of Health and Human Services (HHS), through its Office of the National Coordinator for Health Information Technology (ONC), has developed an interactive Security Risk Assessment Tool (SRA Tool) to assist covered entities in performing and documenting Health Insurance Portability and Accountability Act (HIPAA) security risk assessments.
Although HHS designed the SRA Tool for health care providers in small to medium-sized offices, it is a helpful resource for all covered entities and business associates to review their implementation of the HIPAA Security Rule.
Why Is Risk Assessment Important?
The HIPAA Security Rule requires covered entities (including group health plans) and business associates to conduct an accurate and thorough analysis of the potential risks and vulnerabilities of the confidentiality, integrity and availability of their electronic protected health information (ePHI). Covered entities and business associates must then implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI.
Conducting a risk assessment is a crucial first step in an organization’s efforts to comply with the Security Rule. It directs what reasonable steps a covered entity or business associate should take to protect the ePHI it creates, transmits, receives or maintains.
Risk assessment is also an ongoing process. Covered entities and business associates should periodically revisit their risk assessments and make appropriate updates to their ePHI safeguards. According to HHS, compliance with the HIPAA Security Rule is not a one-time project, but rather an ongoing, dynamic process that will create new security challenges as organizations and technologies change.
HHS’ Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Security Rule. OCR has increased its enforcement of the HIPAA Privacy and Security Rules in recent years, with some costly outcomes for covered entities. Failing to conduct a timely and thorough risk assessment has routinely been identified by OCR as a common HIPAA compliance problem, and will likely be a focus of future OCR compliance audits. Given this increased enforcement activity, an accurate and thorough risk assessment is more important than ever for covered entities and business associates.
What Security Safeguards Are Required?
The HIPAA Security Rule does not require covered entities and businesses associates to follow a specific risk assessment methodology. As the health care industry is both diverse and broad, the HIPAA Security Rule is designed to be flexible and scalable. The Security Rule recognizes that the methods used by a covered entity or business associate to safeguard ePHI will vary based on the size, complexity and capabilities of the organization.
To read more about the HIPAA Security Risk Assessment Tool click here.
To speak with an Alltrust Expert regarding HIPAA Compliance or Employee Benefits, please call 727.772.4200 or click here.