HHS Releases Updated HIPAA Security Risk Assessment Tool

Share this article on:

The HHS has updated its HIPAA Security Risk Assessment Tool and has added several new user-requested features to improve usability.

The HIPAA Security Risk Assessment Tool was developed by the HHS Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the HHS’ Office for Civil Rights to help healthcare organizations with this important provision of the HIPAA Security Rule.

The risk assessment is a foundational element of compliance with the Health Insurance Portability Act Security Rule. By conducting a risk assessment, healthcare organizations can identify areas where PHI may be at risk. Any risks can then be assessed, prioritized, and reduced to a reasonable and acceptable level.

The failure to conduct a comprehensive, organization-wide risk assessment is the most commonly cited HIPAA violation in OCR enforcement actions. This is perfectly understandable. If a risk assessment does not cover all systems that store or touch ePHI, vulnerabilities are likely to be missed and the confidentiality, integrity, and availability of ePHI will remain at risk.

The Security Risk Assessment Tool can help small to medium sized healthcare organizations conduct a comprehensive, organization-wide risk assessment to identify all risks to the confidentiality, integrity, and availability of protected health information (PHI). By using the tool, healthcare organizations will be able to identify and assess risks and vulnerabilities and use that information to improve their defenses against malware, ransomware, viruses, botnets and other types of cyberattack. The tool also helps covered entities conduct a review of all electronic devices that store or capture ePHI as well as devices that can be used to access ePHI in an EHR.

Since its initial release, the tool has been updated several times to improve usability and add additional functions. The latest version of the Risk Assessment Tool – Version 3.1 – has been released to coincide with National Cybersecurity Awareness Month and includes several user-requested improvements:

  • Threat and vulnerability validation
  • Incorporation of NIST Cybersecurity Framework references
  • Improved asset and vendor management
  • Question flagging and a new Flagged Report
  • Ability to export Detailed Reports to Excel
  • Fixes for several reported bugs to improve stability

The tool can be downloaded from the HHS for Windows devices, although the latest version is not available for Mac OS.

The HHS points out that the tool is only as useful as the work that goes into conducting and documenting a risk assessment. Use of the tool does not guarantee compliance with the risk assessment requirements of the HIPAA Security Rule and will only help HIPAA-covered entities and their business associates conduct periodic risk assessments.

Author: HIPAA Journal

Share This Post On