The Department of Health and Human Services’ Office for Civil Rights (OCR) has released an updated version of its Security Risk Assessment Tool to help covered entities comply with the risk analysis provision of the HIPAA Security Rule.

The risk analysis is one of the most important elements of the Health Insurance Portability an Accountability Act’s Security Rule. The purpose of the risk analysis is to identify all risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI). If a risk analysis is not conducted, or if it does not include all systems, devices, and locations where ePHI is stored, risks are likely to be missed and will then not be included in an organization’s risk management process.

The risk analysis provision of the HIPAA Security Rule causes problems for many HIPAA-covered entities and business associates. Noncompliance with this HIPAA provision is the most common HIPAA violation to attract a financial penalty.

To help covered entities and their business associates comply with this aspect of the HIPAA Security Rule, the HHS’ Office of the National Coordinator for Health Information Technology (ONC) and OCR developed a Security Risk Assessment Tool to guide covered entities and their business associates through the risk assessment process.

The Security Risk Assessment Tool will be of most use to small to medium sized healthcare organizations and will guide them through conducting a compliant risk assessment. Use of the tool will not guarantee compliance with this aspect of the Security Rule, and other federal, state, or local laws, and it is not an exhaustive or definitive source on safeguarding ePHI, but it will help them comply with this important Security Rule provision and ensure adequate administrative, physical, and technical safeguards are implemented.

The latest release incorporates several new features that improve usability. These new features were added as a result of feedback from users of the tool.

The new features include enhancements to the user interface, custom assessment logic, modular workflow, a progress tracker, more detailed reports, business associate and asset tracking, and threats & vulnerabilities rating. Other updates have been made to improve the overall user experience.

The new Security Risk Assessment Tool – Version 3.1 – can be downloaded on this link.