Carrying out an in depth risk assessment is a requirement under the HIPAA Security Rule; however it can be a complex process calling for all potential security weaknesses to be identified. The process can be a major task for any organization, especially when the penalties for non-compliance are so harsh.
As per the Security Rule, HIPAA-covered entities are required to complete a risk assessment to determine any potential vulnerabilities and take the appropriate actions to minimize and, as far as is possible, eliminate data security weaknesses. Incorporating the necessary security measures, software systems and data encryption services is essential under HIPAA regulations in order to keep electronic health records private and confidential.
The HHS realizes the challenges faced by healthcare organizations and has developed a tool to help organizations conduct thorough risk analyses and ensure they are fully HIPAA-compliant. Any organization about to complete a risk analyses under HIPAA should use the new tool provided by the HHS on its website.
The tool walks the user through a series of questions which need to be addressed as part of the risk assessment, with a step by step approach taken to ensure no important areas are missed. According to the HHS, the tool will not only help to reveal any security risk that exists, but it will also help organizations gain a better comprehesnion of their IT security systems as a complete body.
The new tool is a standalone application which is compatible with Windows PCs and laptops, while iPad users can download it from the Apple App Store.
The tool asks a range of 156 questions which allows the user to discover any areas which require immediate attention and correction. The tool incorporates supplemental information to help the user answer the questions accurately and provides help to explain the context of the question and the potential impact on PHI records.
The SRA Tool User Guide is downloadable from the HHS website. For information on using the application tool visit: http://www.healthit.gov/providers-professionals/security-risk-assessment-tool.
The use of the tool is not a necessity under the HIPAA Security Rule and it is is not a definitive source of guidance on HIPAA compliance, which should be obtained from the Health Information Privacy section of the HHS Office for Civil Rights website.