HHS unveils security risk assessment tool

A new security risk assessment (SRA) tool aimed to help healthcare providers in small to medium sized offices conduct risk assessments of their organizations is now available from the U.S. Department of Health & Human Services. The tool was first mentioned at a session during HIMSS14 in February.

"Protecting patients' protected health information is important to all health care providers and the new tool we are releasing today will help them assess the security of their organizations," National Coordinator for Health IT Karen DeSalvo said in announcement. "The SRA tool and its additional resources have been designed to help health care providers conduct a risk assessment to support better security for patient health data."

The tool, ONC's first app, will specifically help providers with documentation, Joy Pritts, chief privacy officer at ONC, said at HIMSS14.

"We're committed to making [ONC's tools] useful," Pritts said. "If we can't get this message out to the people who need it, we're not doing our job."

Lack of documentation is a big problem, Pritts added, and to that end, the intent of this tool is to help providers produce the documentation necessary to show an organization has thought about security risk and help guide the thought process, she said.

Leon Rodriguez, director of the HHS Office for Civil Rights, speaking at the HIMSS Privacy and Security Forum in Boston last fall, said the the permanent HIPAA auditing program slated to begin this year will be narrower in scope than the 2012 auditing pilot program.

In the pilot program, a lack of thorough risk analysis was found to be a major weakness--which the app aims to address.

To learn more:
- read the announcement
- see the SRA tool website

Related Articles:
ONC's Joy Pritts: Security risk assessment tool coming soon
OCR not fully enforcing HIPAA
Leon Rodriguez: Permanent HIPAA auditing program will be narrower
Despite HIPAA compliance deadline, OCR to delay some requirements
Don't let HIPAA ruin your life
HHS to provide more HIPAA guidance to covered entities