Updated ONC Security Risk Assessment Tool Released

OCR normally to settles HIPAA compliance issues through voluntary compliance and non-punitive means, although financial penalties are now becoming more the norm. If OCR investigators find HIPAA violations, financial penalties may be issued. Fines of up to $1.5 million can be pursued for each violation category found.

One of the most commonly experienced reasons for a financial penalty is the failure to complete a comprehensive, organization-wide risk assessment. The risk assessment is a pivotal requirement of the HIPAA Security Rule – 45 C.F.R. §§ 164.308(a)(1)(ii)(A), and is one of four required implementation specifications in the Security Management Process.

The purpose of the risk assessment is to uncover all potential risks to the confidentiality, integrity, and availability of all ePHI that a covered entity creates, receives, maintains, or transmits. The risk assessment review all forms of ePHI, and all devices and systems that touch ePHI.

As was the case with the pilot phase of the HIPAA compliance audits and subsequent PHI breach investigations, small to medium-sized covered bodies often struggle with the risk assessment.

To help covered bodies comply with this element of the Security Rule, the Office of the National Coordinator for Health Information Technology (ONC), Office of the General Counsel (OGC), and OCR formulat eda security risk assessment tool.

The security risk assessment tool developed by the OCR is a self-contained operating system-independent application for Windows devices and iPads. The tool can be utilized to ensure that a risk assessment is conducted in a thorough, organized fashion.

The tool includes 156 questions covering HIPAA requirements in relation to each covered body’s activities. It is not necessary to use the tool, although it is advisable for small to medium-sized covered bodies.

The tool was first released in March 2014, but is regularly updated. This week ONC/OCR has revealed that the tool has been updated with new features including enhanced reporting functions. The new tool also works with Windows 10. An updated paper-based version of the tool has also been made available to covered entities.

The tool can be downloaded for no charge from the Apple App store or from the HealthIT.gov website.