HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HHS Releases Updated HIPAA Security Risk Assessment Tool

The HHS has updated its HIPAA Security Risk Assessment Tool and has added several new user-requested features to improve usability.

The HIPAA Security Risk Assessment Tool was developed by the HHS Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the HHS’ Office for Civil Rights to help healthcare organizations with this important provision of the HIPAA Security Rule.

The risk assessment is a foundational element of compliance with the Health Insurance Portability Act Security Rule. By conducting a risk assessment, healthcare organizations can identify areas where PHI may be at risk. Any risks can then be assessed, prioritized, and reduced to a reasonable and acceptable level.

The failure to conduct a comprehensive, organization-wide risk assessment is the most commonly cited HIPAA violation in OCR enforcement actions. This is perfectly understandable. If a risk assessment does not cover all systems that store or touch ePHI, vulnerabilities are likely to be missed and the confidentiality, integrity, and availability of ePHI will remain at risk.

Please see the HIPAA Journal Privacy Policy

The Security Risk Assessment Tool can help small to medium sized healthcare organizations conduct a comprehensive, organization-wide risk assessment to identify all risks to the confidentiality, integrity, and availability of protected health information (PHI). By using the tool, healthcare organizations will be able to identify and assess risks and vulnerabilities and use that information to improve their defenses against malware, ransomware, viruses, botnets and other types of cyberattack. The tool also helps covered entities conduct a review of all electronic devices that store or capture ePHI as well as devices that can be used to access ePHI in an EHR.

Since its initial release, the tool has been updated several times to improve usability and add additional functions. The latest version of the Risk Assessment Tool – Version 3.1 – has been released to coincide with National Cybersecurity Awareness Month and includes several user-requested improvements:

  • Threat and vulnerability validation
  • Incorporation of NIST Cybersecurity Framework references
  • Improved asset and vendor management
  • Question flagging and a new Flagged Report
  • Ability to export Detailed Reports to Excel
  • Fixes for several reported bugs to improve stability

The tool can be downloaded from the HHS for Windows devices, although the latest version is not available for Mac OS.

The HHS points out that the tool is only as useful as the work that goes into conducting and documenting a risk assessment. Use of the tool does not guarantee compliance with the risk assessment requirements of the HIPAA Security Rule and will only help HIPAA-covered entities and their business associates conduct periodic risk assessments.

HIPAA Seal of Compliance

HIPAA Risk Assessment

Find gaps in your compliance

Start HIPAA Assessment Now

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.