The U.S. Department of Health and Human Services (HHS) has updated the Security Risk Assessment (SRA) tool, which is designed to help health care providers in small to medium sized practices conduct information security risk analyses of their organizations, as required under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. New features of the tool include Windows 10 compatibility and improved reporting features.

The tool, available at www.HealthIT.gov, is the result of a collaborative effort by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR). It is designed to help practices conduct and document an assessment of potential security risks in a thorough, organized fashion. The tool also produces a report that can be used in case of a HIPAA audit or investigation.

HIPAA requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information. By conducting the risk analysis, health care providers can uncover potential weaknesses in their security policies, processes and systems. It also address vulnerabilities, potentially preventing health data breaches or other adverse security events.

Conducting a security risk analysis is a key requirement of the HIPAA Security Rule and a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, commonly known as the Meaningful Use Program.

Despite the name, it is important to note that this tool is a risk analysis tool, rather than a tool to assist physicians in conducting a "risk assessment" in order to determine whether certain breach notification requirements have been triggered following a breach of security. It is important to note that this tool is provided for informational purposes only and does not guarantee compliance with federal, state, or local laws.

The tool is available for both Windows operating systems and iPad. Download the Windows version here. The iPad version is available from the iTunes App Store (search “HHS SRA tool”).

For more information on the risk analysis requirements under HIPAA, see CMA On-Call document #4102, "HIPAA Security Rule." On-Call documents are available free to members in CMA's online health law library. Nonmembers can purchase documents for $2/page.

CMA is also hosting a live webinar, "Is Your Practice at Risk for a HIPAA Security Breach?" on November 2, 2016. In this webinar, CMA’s HIPAA advisor, David Ginsberg, will discuss common threats and breaches, how to safeguard and strengthen your systems, and what to do if you have a breach.

Contact: CMA legal information line, (800) 786-4262 or legalinfo@cmadocs.org.