A new version of the HHS Security Risk Assessment (SRA) Tool has been jointly developed by the Department of Health and Human Services (HHS)’ Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR).
A comprehensive, organization-wide risk assessment is a requirement of the HIPAA Security Rule. Risk assessments are conducted to identify areas where electronic protected health information (ePHI) may be at risk and to check whether an organization is compliant with the administrative, physical, and technical safeguards of the HIPAA Security Rule. After conducting a risk assessment, organizations can reduce risks to the security or integrity of ePHI as part of their risk management process.
The risk analysis is an element of HIPAA Security Rule compliance that many HIPAA-regulated entities get wrong, so to help with compliance ONC and OCR developed the SRA Tool. There is no single risk analysis methodology that will be appropriate for all healthcare organizations, and methods and approaches will vary based on the size, complexity, and capabilities of the organization. The SRA Tool has been developed specifically to help small- and medium-sized healthcare organizations with their risk assessments.
The SRA Tool is a Windows application that can be downloaded from the HHS website that guides HIPAA-regulated entities through the process of conducting a risk assessment, and includes multiple-choice questions, threat and vulnerability assessments, and asset and vendor management, with references and guidance provided by the SRA Tool throughout that process. The SRA Tool also generates reports that can be saved or printed.
The latest version of the SRA Tool includes several feature enhancements that have been added in response to feedback from users, such as the incorporation of Health Industry Cybersecurity Practices (HICP) references, file association in Windows, improved reports, and other bug fixes and stability improvements.
ONC and OCR previously produced a legacy paper version of the Tool for use by healthcare organizations that do not have access to Windows devices. This year, a new SRA Tool Excel Workbook has been released to replace the paper version of the tool. The Excel Workbook contains conditional formatting and formulas to calculate and help identify risk in a similar fashion to the SRA Tool application.
It is important to note that the use of the SRA Tool does not guarantee compliance with federal, state, or local laws, and the SRA Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. The SRA Tool may also not be suitable for large healthcare organizations.