The Department of Health and Human Services (HHS) has recently released a new security risk assessment tool for the purpose of aiding covered entities and business associates in their never-ending duty of ensuring HIPAA/HITECH compliance with their operations.Under HIPAA/HITECH, covered entities and business associates must conduct regular risk assessments of the administrative, physical, and technical safeguards incorporated into their policies and procedures that protect the security of protected health information. Risk assessments are designed to help covered entities and business associates uncover potential weaknesses in their security policies and systems, and prevent health data breaches and other adverse security events. As many are aware, risk assessment is a key requirement of the HIPAA Security Rule and a core requirement for covered entities seeking payment through the Medicare and Medicaid EHR Incentive Program (Meaningful Use Program). HHS has made it clear that it is essential to conduct ongoing risk assessments in order to be in compliance with HIPAA and HITECH. Moreover, once gaps and vulnerabilities have been identified, HHS requires covered entities and business associates to take whatever steps necessary to address, correct, and document.

The new risk assessment tool is particularly designed for covered entities and business associates in small to medium-sized settings. The tool provides guidance through each of the Security Rule’s standards, and offers information on each standard to help identify potential threats, vulnerabilities and impacts in a user’s security system. The tool also offers examples of safeguards that covered entities or business associates may be able to implement to address the risks and to further protect the confidentiality, integrity, and availability of electronic protected health information. Moreover, users are able to make notes in the tool to document how they currently meet a standard and whether and how they will implement the standard in the future. The tool will generate a report indicating risk levels based on the answers provided and also produce a report that can be provided to auditors.

The risk assessment tool is available as an application for Windows and for iOS. The Windows version is available for downloading at www.HealthIT.gov/security-risk-assessment and the iOS version is available from the App Store (search for “HHS SRA tool”). Public comments on the HHS security risk assessment tool will be accepted until June 2, 2014.