ONC and OCR Release Updated Security Risk Assessment Tool

The Department of Health and Human Services (HHS)’ Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) have released a new version of the HHS Security Risk Assessment (SRA) Tool.

The HIPAA Security Rule requires HIPAA-regulated entities to conduct a comprehensive, organization-wide risk analysis to identify the risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). All risks identified must then be subject to risk management processes to reduce the identified risks and vulnerabilities to a low and acceptable level.

Risk analyses/assessments are vital for HIPAA compliance. They help HIPAA-covered entities determine if they are compliant with the administrative, physical, and technical safeguards of the HIPAA Security Rule and help to identify the most effective and appropriate administrative, physical, and technical safeguards to protect ePHI. Investigations and audits of HIPAA-regulated entities have shown that the risk assessment/analysis is an aspect of compliance that many healthcare organizations fail to get right, and it is one of the most commonly cited HIPAA violations in OCR enforcement actions.

In 2014, ONC and OCR jointly developed and launched the SRA Tool to help small- and medium-sized healthcare practices and business associates with this important aspect of HIPAA Security Rule compliance. The SRA tool is a downloadable tool that can be used to guide HIPAA-regulated entities through the risk assessment process. The SRA Tool is a desktop application that uses a wizard-based approach involving multiple-choice questions, threat and vulnerability assessments, and asset and vendor management, and walks users through the security risk assessment process.

The SRA tool has been updated over the years, with the latest version incorporating new features in response to user feedback and public input. Those features include the incorporation of Health Industry Cybersecurity Practices (HICP) references, file association in Windows, improved reports, bug fixes, and stability improvements.

ONC and OCR have also developed a new SRA Tool Excel Workbook, which is intended to replace the legacy paper version of the SRA Tool. The workbook contains conditional formatting and formulas to calculate and help identify risk in a similar fashion to the SRA Tool application and is a good alternative for users who do not have Microsoft Windows.

ONC and ORC explain that the use of the tool does not guarantee compliance with HIPAA but can help them achieve compliance. The tool was developed for SMBs, and may not be appropriate for larger healthcare organizations.

The SRA tool, which can be downloaded here, can be installed as an application on 64-bit versions of Microsoft Windows 7/8/10/11. The new SRA Tool Excel Workbook can be used on other systems.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.