Health Law & Policy Matters Health Care Attorneys | Mintz Levin Law Firm

Compliance is No Joke: OCR Releases Security Risk Assessment Tool

Posted in Privacy & Security/HIPAA/HITECH

Written by: Stephanie D. Willis and Dianne J. Bourque

On March 28, 2014, the Office of Civil Rights (OCR) announced the release of an online and iPad app-based security risk assessment (SRA) tool.  The tool is intended to help health care providers in small to medium sized offices conduct and document risk assessments of their organizations and meet their compliance obligations under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.  The SRA tool is a self-contained, operating system application that can run on Windows for desktop and laptop computers or Apple’s iOS for iPad.  OCR has imposed penalties based on a provider’s failure to properly perform a risk assessment compliant with the Security Rule’s standards, as we profiled in a recent post.  The release of the tool further signals OCR’s increased focus on preventive measures that covered entities and business associates must undertake to demonstrate awareness of and adherence to HIPAA’s requirements.

The SRA tool is the result of joint efforts by OCR, the HHS Office of the National Coordinator for Health Information Technology (ONC), and the HHS Office of General Counsel.  As stated in the joint HHS press release, “[c]onducting a security risk assessment is a key requirement of the HIPAA Security Rule and a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, commonly known as the Meaningful Use Program.”  Health care providers should use security risk assessments to find and address potential weaknesses in their security policies, processes, and systems.  Ultimately, these risk assessments and subsequent corrective actions can help providers implement ways to avert health data breaches or other adverse security incidents.

The SRA tool itself, which includes 156 questions presented to elicit “yes” or “no” responses, asks the health care provider about activities that correspond to HIPAA requirements and provides immediate feedback indicating whether the provider should take corrective action to address particular HIPAA requirement deficiencies.  Of particular convenience, the SRA tool allows providers to pause the risk assessment effort and view current results.  For health care providers who are less technologically inclined, OCR has also provided a paper version of the assessment tool, which can be accessed at the following links:

In addition, the SRA tool website provides a User Guide and Tutorial Videos to help providers use the SRA tool and to understand the Security Rule’s requirements regarding risk analysis and contingency planning.