HIPAA Security Risk Assessment Considerations
The following are the top three takeaways from a recent HIPAA Security assessment webinar sponsored by the OCR, HHS, and ONC:
1. HIPAA Risk Assessment
Conducting a thorough, comprehensive HIPAA risk assessment of an organization is crucial for HIPAA compliance. A detailed analysis of systems and processes is a required administrative safeguard under the HIPAA Security Rule. Failure to conduct a comprehensive security risk analysis often leads to HIPAA sanctions. TBHI’s previous articles for more information about conducting HIPAA risk assessments may be of interest:
- HIPAA Risk Assessment Requirements
- Recent HIPAA Security Rule Update: Recognized Security Practices
- Understanding HIPAA Risk Assessment
To simplify this difficult process, OCR and ONC have developed the SRA Tool, available for free. It can be conducted online to complete the risk assessment and report risk assessment and mitigation strategies. Both individuals and organizations should expect to spend a considerable amount of time performing a HIPAA security risk assessment, whether they use SRA Tool or not. As can be expected, the quality of the assessment is directly proportional to the time and effort put into the assessment.
2. Potential Risks in HIPAA Security Risk Assessment
A covered entity can expect to be required to evaluate its entire security landscape when performing the HIPAA security risk assessment. It is insufficient to assess only one security aspect, such as threats to an electronic health record (EHR). Instead, when conducting the assessment, entities must consider potential risks and vulnerabilities to electronically transmitted protected health information (PHI) for email, mobile devices, and cloud-based applications.
3. SRA Tool Improvements
Recent SRA Tool improvements include the following:
- The SRA Tool now has an interactive spreadsheet version. Covered entities unable to run the software tool or prefer to work in a spreadsheet format can use the spreadsheet.
- Criteria from the Health Industry Cybersecurity Practices (HICP) Technical Volume 1 has been incorporated into the Tool to provide users with context on cybersecurity best practices.
- File association features allow users to open files created with the SRA Tool with greater ease.
- Short instructional videos have been added to help users navigate the Tool.
The SRA Tool is still incompatible with macOS. Future updates will not include support for this operating system. However, macOS users are now able to use the downloadable, interactive spreadsheet version.
Your Opinion Matters
The SRA Tool users can provide feedback using this Survey. Those who have previously used the Tool can express their experiences and thoughts about the SRA Tool and its user interface.