What is the OCR's Security Risk Assessment Tool?

The HHS Risk Assessment Tool is a software provided by the U.S. Department of Health and Human Services to help healthcare providers identify and address potential security risks to patient data.

What is a HIPAA risk assessment?

HHS calls the risk assessment the foundational step to HIPAA compliance. It helps determine the most effective and appropriate administrative, physical, and technical safeguards to properly protect ePHI. All while considering each CE's unique needs and characteristics. There is no one way to perform a risk assessment, as there is no one solution to cybersecurity.

A HIPAA risk assessment can tackle and analyze:

1. Scope of the analysis
2. Potential threats and vulnerabilities
3. Current security measures
4. The likelihood of a threat
5. The potential impact of a threat
6. The level of risk
7. Helpful security measures and final documentation are needed

See also: What is a HIPAA risk assessment?

What is the HHS Risk Assessment?

According to the ONC guidance document, the SRA tool is, “...designed to help health care providers and business associates that handle patient information for them to evaluate risks, vulnerabilities and adherence to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.”

The tool was developed by the Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the HHS Office for Civil Rights (OCR). It helps healthcare organizations evaluate and manage security risks related to PHI within their operations. It also provides a structured process, either through a Windows desktop application or an Excel workbook, to guide users through the assessment, identify vulnerabilities, and develop strategies to address them.

Who should use the SRA Tool?

1. Small and medium healthcare providers
2. Dental practices
3. Community health centers
4. Behavioral health practices
5. Small hospitals
6. Healthcare organizations with limited resources
7. Any size organization seeking to improve security posture

What are the specific features of the SRA Tool?

1. Guided assessment process: The SRA Tool provides a structured, step-by-step approach to conducting security risk assessments. It uses a simple, wizard-based interface that guides users through the assessment process.
2. Multiple-choice questions: Users are presented with a series of multiple-choice questions related to various aspects of security and compliance. These questions help organizations assess their current security practices and identify potential vulnerabilities.
3. Threat and vulnerability assessments: The tool assists organizations in identifying potential threats to protected health information (PHI) and vulnerabilities within their systems and processes. This helps organizations pinpoint areas of risk.
4. Asset and vendor management: Users can input information about their organization's assets (hardware and software) and vendors (third-party service providers). This feature helps organizations understand their security landscape and potential risks associated with external partners.
5. Report generation: After completing the assessment, organizations can generate reports summarizing the assessment findings and recommendations. These reports can be saved and printed for documentation purposes.
6. Remediation report: In Version 3.4 of the SRA Tool, a Remediation Report feature was introduced. This allows organizations to track their responses to identified vulnerabilities and monitor their progress in addressing security issues.
7. Information security standards: The tool references National Institute of Standards and Technology (NIST) standards, widely recognized as best practices in information security. While these standards are not required for compliance with the HIPAA Security Rule, they provide valuable guidance.
8. Local data storage: All information entered into the SRA Tool is stored locally on the user's computer. The tool does not collect, view, store, or transmit any of the entered information, ensuring data privacy and security.

Related: The NIST Cybersecurity Framework and the HIPAA Security Rule crosswalk

How can it be utilized by healthcare organizations?

1. Download and install the tool: Healthcare organizations can download the SRA Tool from the official HealthIT.gov website. Two versions are available: one for Windows and one in the form of an Excel workbook. Organizations should choose the version that best suits their needs and system requirements.
2. Follow the guided assessment process: For the Windows desktop application, Users can launch the application and follow a step-by-step, wizard-based approach. For the Excel workbook, Users can open the spreadsheet and navigate through the content, which mirrors the assessment process found in the desktop application.
3. Answer multiple-choice questions: The tool presents multiple-choice questions related to security and compliance. Users should answer these questions accurately based on their organization's practices and procedures.
4. Assess threats and vulnerabilities: The tool assists organizations in identifying potential threats and vulnerabilities that could compromise the security of PHI. It helps in evaluating the organization's current security measures and practices.
5. Manage assets and vendors: Users can input information about their organization's assets (hardware, software) and vendors (e.g., HIPAA compliant email services). This step helps in understanding the broader security landscape.
6. Access references and guidance: Throughout the assessment, the tool provides references and additional guidance to help users make informed decisions about security measures and risk mitigation strategies.
7. Generate reports: After completing the assessment, the SRA Tool allows organizations to generate reports summarizing the assessment findings and recommendations. These reports can be saved and printed for documentation purposes.
8. Track remediation: Version 3.4 of the SRA Tool introduced a Remediation Report feature, which enables organizations to track their responses to identified vulnerabilities and work on addressing them.

See also: How to perform a risk assessment

FAQs

What is the ONC?

The ONC is a division of the U.S. Department of Health and Human Services that coordinates national efforts to implement and use advanced health information technology and electronic health records.

When is an organization a covered entity or business associate? 

An organization becomes a covered entity or business associate under HIPAA when it handles Protected Health Information (PHI) in providing healthcare services, payment activities, or operations, or when it performs services for a covered entity that involve access to PHI.

What is the function of a risk assessment?

The function of a risk assessment is to systematically identify and evaluate potential risks to the security and privacy of PHI.