The HIPAA Security Rule has long required covered entities and business associates to conduct an enterprise-wide security risk analysis. This analysis must assess the potential risks and vulnerabilities to the confidentiality, availability and integrity of electronic protected health information (“ePHI”) held by the entity. This analysis should, in part, identify where entity holds ePHI, how it receives ePHI and what the threats are to the entity’s information systems that contain ePHI.
While there is no single method of conducting a risk analysis that equates to compliance with the HIPAA Security Rule, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) and the HHS Office of the National Coordinator for Health Information Technology (ONC) developed a Security Risk Assessment Tool (the “SRA Tool”) to assist covered entities and business associates in completing this required task. OCR and ONC state that the SRA tool is designed to be used by small or medium-sized health care practices or other covered entities and business associates, but its concepts can be applied to covered entities and business associates of all sizes.
In October 2018, OCR and ONC announced changes to the SRA Tool to make it more user-friendly and more broadly applicable. The updated version follows comprehensive testing of the prior model with health care practice managers. One major update is enhanced ways for an entity to document how it can implement or plan for security measures to protect its ePHI. It also includes new features, such as a progress tracker, a method of tracking business associates and assets and improvements to ratings of threats and vulnerabilities.
The updated SRA Tool is one more way in which OCR indicates the importance of conducting security risk analyses. Failure to conduct such an analysis can put an entity’s ePHI at a higher risk, and can be a major factor weighing in favor of penalties or other enforcement if OCR audits or investigates a covered entity or business associate. Many of the OCR enforcement actions over the past several years reference lack of a security risk analysis as part of the identified compliance issues (see our prior summaries here, here, and here).
The updated SRA Tool can be found here. OCR and ONC note that the update is compatible with Windows operating systems only; iPad users can continue to use the prior version.