New HHS Tool Released to Assist with HIPAA Risk Assessments

Conducting a thorough risk assessment is a requirement under the HIPAA Security Rule; however it can be a complex process requiring all potential security risks to be identified. The process can be a daunting task for any organization, especially when the risks of non-compliance are so severe.

Under the Security Rule, HIPAA-covered entities are required to conduct a risk assessment to determine any potential vulnerabilities and take the appropriate actions to reduce and, as far as is possible, eliminate data security risks. Incorporating the necessary safeguards, software systems and data encryption services is essential under HIPAA regulations in order to keep electronic health records private and confidential.

The HHS understands the issues faced by healthcare organizations and has developed a tool to help organizations conduct thorough risk analyses and ensure they are fully HIPAA-compliant. Any organization about to conduct a risk analyses under HIPAA should use the new tool provided by the HHS on its website.

The tool takes the user through a series of questions which need to be answered as part of the risk assessment, with a step by step approach taken to ensure no important areas are overlooked. According to the HHS, the tool will not only help to highlight any security risk that exists, but it will also help organizations gain a better understanding of their IT security systems as a whole.

The new tool is a standalone application which can be run on Windows PCs and laptops, while iPad users can download the tool from the Apple App Store.

The tool asks a series of 156 questions which allows the user to determine any areas which require immediate attention and correction. The tool includes supplemental information to help the user answer the questions accurately and provides assistance to explain the context of the question and the potential impact on PHI records.

The SRA Tool User Guide can be downloaded from the HHS website. For information on the use of the tool visit:

The use of the tool is not a requirement under the HIPAA Security Rule and it is is not a definitive source of information on HIPAA compliance, which should be obtained from the Health Information Privacy section of the HHS Office for Civil Rights website.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.