New HIPAA Security Risk Assessment Tool Is Designed For Small Providers & Business Associates
A new security risk assessment (SRA) tool has been developed by the Department of Health & Human Services Office of the National Coordinator for Health IT (ONC) and the Office for Civil Rights (OCR). The tool is designed to help small and medium size health providers and business associates practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
The HIPAA Security Rule requires covered entities like health care providers, hospitals and health plans to protect against reasonably anticipated threats or hazards to the security or integrity of the electronic protected health information (e-PHI) they create, maintain or transmit, and to put into place appropriate safeguards to reduce the risk from those security threats. The requirements of the Security Rule were expanded by the HITECH Act to include business associates, defined as contractors and vendors of covered entities who create, transmit or maintain e-PHI. The risk assessment is also a core requirement for eligible providers and hospitals seeking payment through the Meaningful Use Program.
The Security Rule allows covered entities and business associates flexibility in developing measures to meet the requirements of the standards and implementation specification including consideration of organization size and type, complexity of the technology and infrastructure, human element, infrastructure, and the cost of security measures. The starting point for determining what is appropriate and reasonable is by conducting a risk analysis of the systems and technologies that create, transmit or store electronic protected health information e-PHI as part of a comprehensive process to safeguard the confidentiality, integrity and availability of patient data.
The SRA application is available for download at www.HealthIT.gov/security-risk-assessment. The risk assessment tool also produces a report that can be shared with regulatory agencies conducing compliance reviews or audits. The security risk assessment report could also be valuable information to business partners who are seeking assurance that vendors have appropriate safeguards in place to protect e-PHI.
The ONC/OCR SRA tool designed for use by small and medium health care providers and business associates joins a comprehensive risk assessment tool developed in 2011 by the National Institute of Standards and Technology (NIST). The NIST tool, Security Content Automation Protocol (SCAP), was developed in collaboration with OCR to provide a risk assessment geared to meet the needs of larger, complex covered entities and business associates. The NIST HIPAA Security Rule Toolkit is available for download at http://scap.nist.gov/hipaa/.