With Health and Human Services (HHS) audit activity on the rise, an accurate and thorough assessment is more important than ever.
HIPAA’s security rule requires most covered entities (including group health plans) and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information.
HHS, through its Office of the National Coordinator for Health Information Technology, has developed an interactive Security Risk Assessment (SRA) Tool to assist covered entities in performing and documenting a HIPAA security risk assessment. An accompanying User Guide explains that use of the tool is not required, does not guarantee HIPAA security compliance, and does not cover any HIPAA privacy requirements.
The SRA Tool is a software application that can be downloaded, free of charge, from the agency’s website and run on a user’s desktop or laptop computer or iPad. It contains 156 questions that address administrative, technical, and physical safeguards, which include basic security practices, security failures, risk management, and personnel issues. Each question includes resources such as definitions, explanations of potential risks, and examples of safeguards. In addition, the SRA Tool allows the user to add notes and document actions taken or planned. For those who prefer a less interactive approach, the SRA Tool’s content is also available in three Word documents that can be downloaded or printed from the website.
Clients should be forewarned that many of the questions reflect National Institute of Standards and Technology standards, which go beyond current HIPAA security requirements. The SRA Tool is self-contained, and therefore, is completely confidential. Input is stored in the user’s computer for future reference and report generation, but nothing is sent to HHS or elsewhere.
This SRA Tool in conjunction with the knowledge and experience of Roetzel Attorneys, can insure that clients are in compliance with HIPAA and prepared for an HHS audit. For further information, please contact any of the Roetzel attorneys listed in the sidebar.View PDF