Updated ONC Security Risk Assessment Tool Released

by | Sep 8, 2016

OCR normally to settles HIPAA compliance issues through voluntary compliance and non-punitive means, although financial penalties are now becoming more the norm. If OCR investigators find HIPAA violations, financial penalties may be issued. Fines of up to $1.5 million can be pursued for each violation category found.

One of the most commonly experienced reasons for a financial penalty is the failure to complete a comprehensive, organization-wide risk assessment. The risk assessment is a pivotal requirement of the HIPAA Security Rule – 45 C.F.R. §§ 164.308(a)(1)(ii)(A), and is one of four required implementation specifications in the Security Management Process.

The purpose of the risk assessment is to uncover all potential risks to the confidentiality, integrity, and availability of all ePHI that a covered entity creates, receives, maintains, or transmits. The risk assessment review all forms of ePHI, and all devices and systems that touch ePHI.

As was the case with the pilot phase of the HIPAA compliance audits and subsequent PHI breach investigations, small to medium-sized covered bodies often struggle with the risk assessment.

To help covered bodies comply with this element of the Security Rule, the Office of the National Coordinator for Health Information Technology (ONC), Office of the General Counsel (OGC), and OCR formulat eda security risk assessment tool.

The security risk assessment tool developed by the OCR is a self-contained operating system-independent application for Windows devices and iPads. The tool can be utilized to ensure that a risk assessment is conducted in a thorough, organized fashion.

The tool includes 156 questions covering HIPAA requirements in relation to each covered body’s activities. It is not necessary to use the tool, although it is advisable for small to medium-sized covered bodies.

The tool was first released in March 2014, but is regularly updated. This week ONC/OCR has revealed that the tool has been updated with new features including enhanced reporting functions. The new tool also works with Windows 10. An updated paper-based version of the tool has also been made available to covered entities.

The tool can be downloaded for no charge from the Apple App store or from the HealthIT.gov website.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy