25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Updated Security Risk Assessment Tool Released by ONC

Posted By on Sep 7, 2016

OCR prefers to settle HIPAA compliance issues through voluntary compliance and non-punitive means, although financial penalties are now becoming more commonplace. If OCR investigators uncover HIPAA violations, financial penalties may be issued. Fines of up to $1.5 million can be issued for each violation category discovered.

One of the most common reasons for a financial penalty is the failure to conduct a comprehensive, organization-wide risk assessment. The risk assessment is a foundational requirement of the HIPAA Security Rule – 45 C.F.R. §§ 164.308(a)(1)(ii)(A), and is one of four required implementation specifications in the Security Management Process.

The purpose of the risk assessment is to identify all potential risks to the confidentiality, integrity, and availability of all ePHI that a covered entity creates, receives, maintains, or transmits. The risk assessment must cover all forms of ePHI, and all devices and systems that touch ePHI.

As was seen with the pilot phase of the HIPAA compliance audits and subsequent PHI breach investigations, small to medium-sized covered entities often struggle with the risk assessment.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

To help covered entities comply with this element of the Security Rule, the Office of the National Coordinator for Health Information Technology (ONC), Office of the General Counsel (OGC), and OCR developed a security risk assessment tool.

The security risk assessment tool is a self-contained operating system-independent application for Windows devices and iPads. The tool can be used to ensure that a risk assessment is conducted in a thorough, organized fashion.

The tool contains 156 questions covering HIPAA requirements in relation to each covered entity’s activities. It is not essential to use the tool, although it is advisable for small to medium-sized covered entities.

The tool was first issued in March 2014, but is regularly updated. This week ONC/OCR has announced that the tool has been updated with new features including enhanced reporting functions. The new tool is also compatible with Windows 10. An updated paper-based version of the tool has also been made available.

The tool can be downloaded free of charge from the Apple App store or from the HealthIT.gov website.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist