OCR and ONC Release Updated Risk Analysis Tool

The Office of the National Coordinator of Health IT (ONC) and the Office for Civil Rights (OCR) released an updated security risk analysis tool September 6. The tool is designed to help small and medium-sized covered entities (CE) and business associates (BA) complete security risk analyses.

The tool asks the user a series of questions about his or her organization’s activities. Each question relates to specific HIPAA requirements and, based on the given answer, identifies risks that should be addressed. Additional information explains the possible risks to protected health information PHI if a particular HIPAA requirement is not met and references the Security Rule. Users can also have a question put in context to better understand how it may apply to an organization and what is required.

The tool is available in versions compatible with both Windows-based and Apple operating systems, including Apple’s mobile devices A paper-based version can be saved and printed.

CEs and BAs are not required to use the ONC’s tool but must conduct regular, organizationwide risk analyses. Many of OCR’s recent HIPAA enforcement actions have hinged on the lack of organizationwide risk analyses. In August, Advocate Health Care Network, a Chicago-based healthcare system, agreed to a $5.55 million HIPAA settlement fine—the largest HIPAA settlement fine against a single entity. The OCR specifically mentioned the health system’s failure to conduct organizationwide risk analyses as a factor in the size of the settlement.

Risk analyses will likely be under particular scrutiny during OCR’s ongoing HIPAA audits. Phase two of the audit program kicked off in July with desk audits of CEs. BAs can expect to receive email notifications of desk audits this fall, and comprehensive onsite audits of both CEs and BAs will likely begin in early 2017. Although the audits are intended to help the agency learn about common HIPAA compliance pain points and develop better outreach and education tools, the agency will open a HIPAA violation investigation into a CE or BA if it discovers significant compliance gaps.