OCR and ONC update Security Risk Assessment tool

The HHS Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) announced last week in a press release that they have updated the Security Risk Assessment (SRA) tool with improved functionality to assess risks to protected health information (PHI).

HHS reminded readers that the HIPAA Security Rule requires all HIPAA covered entities (CE) and business associates (BA) to conduct an accurate enterprise-wide assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by their organization. HHS also noted that it is important for healthcare organizations to understand the costly risks associated with data breaches.  

The SRA tool is designed for small and medium-sized healthcare CEs and BAs (those with one to 10 providers) to help them identify risks to their ePHI. Updates to the tool (version 3.0) resulted from comprehensive usability testing of SRA tool 2.0 conducted by ONC and OCR with healthcare practice managers to evaluate content and user experience.

According to the press release, improvements to the tool include:

• BA and asset tracking
• Custom assessment logic
• Detailed reports
• Enhanced user interface
• Improved threats and vulnerabilities rating
• Modular workflow with question branching logic
• Overall improvement of the user experience
• Progress tracker

The Windows version of the tool can be found at http://www.HealthIT.gov/security-risk-assessment. The website provides an updated user guide as well.