October 16, 2018
ONC and OCR Bolster the Security Risk Assessment (SRA) Tool with New Features and Improved Functionality
Patients expect not only quality health care to keep them healthy, but also trust that their most sensitive health information will be protected from threats and vulnerabilities that could lead to the compromise of one’s health information. An enterprise-wide risk analysis is not only a requirement of the HIPAA Security Rule, it is also an important process to help healthcare organizations understand their security posture to prevent costly data breaches. What is an enterprise-wide risk analysis? It is a robust review and analysis of the risks to the confidentiality, integrity, and availability of electronic health information -- across all lines of business, in all facilities, and in all locations.
The HHS Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have updated the popular Security Risk Assessment (SRA) Tool to make it easier to use and apply more broadly to the risks to health information. The tool is designed for use by small to medium sized health care practices – those with one to 10 health care providers – covered entities, and business associates to help them identify risks and vulnerabilities to ePHI. The updated tool provides enhanced functionality to document how such organizations can implement or plan to implement appropriate security measures to protect ePHI.
ONC and OCR conducted comprehensive usability testing of the SRA tool (version 2.0) with health care practice managers. Analysis of the findings across the user base informed the development of the content and the requirements for the SRA Tool 3.0. ONC and OCR then conducted testing of the SRA tool 3.0 to compare the user experience in completing the same tasks presented in the first round of testing. You’ll find the tool to be more user friendly, with helpful new features such as:
- Enhanced User Interface
- Modular workflow with question branching logic
- Custom Assessment Logic
- Progress Tracker
- Improved Threats & Vulnerabilities Rating
- Detailed Reports
- Business Associate and Asset Tracking
- Overall improvement of the user experience
Using a Windows operating system? Download the Windows version of the tool at http://www.HealthIT.gov/security-risk-assessment. The iOS iPad version was not updated, but the previous version is available at the Apple App Store (search under “HHS SRA Tool”).
And don’t forget to explore the SRA Tool’s website, which provides a revised User Guide to help you get started.
Remember: All HIPAA covered entities and business associates are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by their organization. If you haven’t conducted a recent enterprise-wide risk analysis, now is the time to download the HHS SRA Tool to help with this foundational element upon which the security activities necessary to protect ePHI are built.
The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all covered entities and business associates. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.
NOTE: The NIST Standards provided in this tool are for informational purposes only as they may reflect current best practices in information technology and are not required for compliance with the HIPAA Security Rule’s requirements for risk assessment and risk management. This tool is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool.