New Tools to Help Providers Conduct Security Risk Assessments

The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), recently released a jointly developed tool designed to assist small and medium sized practices (one to ten healthcare providers) in conducting  security risk assessments (the “SRA Tool”). This tool can be found at

The HIPAA Security Rule mandates that covered entities and business associates assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of the electronic PHI they hold and take appropriate measures to minimize those risks and vulnerabilities.  These steps are a crucial part of an entity’s Security Management Process and considered by HHS to “form the foundation upon which an entity’s necessary security activities are built.”

The Rule does not specifically outline the steps entities should take in conducting a risk analysis or dictate how often it should be done.  In previous guidance, HHS indicated that covered entities could use, but were not required to use, any of the National Institute of Standards and Technology (“NIST”) publications, such as SP 800-30 – “Risk Management for Information Technology Systems.”  Others have used the OCR Audit Program Protocol to guide them in conducting risk assessments or developed home grown tools.

Use of the SRA Tool is not required by the Security Rule or by OCR, nor does it guarantee compliance with HIPAA or state privacy and security laws.  The purpose of this specific tool is to “assist healthcare practices in performing and documenting a Security Risk Assessment.”  Although small to medium practices are the target audience, larger organizations or practices can benefit from viewing the tool and tailoring it to their specific needs. The tool does not include provisions to assess for compliance with the Privacy Rule.