- In an effort to ensure that healthcare organizations of all sizes can prepare for potential cybersecurity issues, the Office of the National Coordinator (ONC) and the Office for Civil Rights (OCR) recently updated the HIPAA Security Risk Assessment (SRA) Tool.
The SRA was first launched in 2014 to help small- and medium-sized organizations work toward HIPAA compliance. The revised SRA continues with that same goal, according to a blog post by ONC IT Security Specialist Ebony Brice and OCR Health Information Privacy Security Specialist Nick Heesters.
The revised SRA is also compatible with Windows 8.0, 8.1, and 10 and has a Save As feature that lets organizations save their assessment to a different location, or share it with colleagues. Furthermore, entities can now report improvements that upgrade the look and functionality of their PDF reports, and will also have more options for what they can include in the report.
“Conducting regular security risk analyses, and remediating any vulnerability, is a fundamental requirement of HIPAA Security Rule compliance,” the duo wrote. “In fact, OCR conducts audits of entity compliance focused on this standard. This tool helps HIPAA-regulated entities assess their risks and document that assessment.”
The SRA tool also helps organizations streamline their risk analyses activities. For example, organizations must answer a series of “yes” or “no” questions about their processes. There are resources within the Tool to ensure entities understand the question’s context, are able to consider the consequences if ePHI requirements are not met, and can see “actual requirements language of the HIPAA Security Rule.”
“You can use the tool as your local repository for your answers, comments, and plans,” Brice and Heesters explained. “Your answers are stored wherever you store the tool and neither OCR nor ONC can access your answers. You can use the tool as often as you need to reassess your organization’s health information security risks. We encourage you to conduct risk assessments on an annual basis.”
Failing to conduct regular risk assessments could not only lead to a healthcare data breach, but could also result in a covered entity or business associate being fined by OCR.
In July 2016, the University of Mississippi Medical Center (UMMC) agreed to an OCR HIPAA settlement that included a $2.75 million fine.
OCR determined after an investigation into a reported breach that UMMC did not take adequate risk management security measures, even after UMMC was aware of certain risks and vulnerabilities to its system.
“In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame,” OCR Director Jocelyn Samuels explained in a statement. “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.”
Business associates are also not exempt from having to perform regular risk assessments.
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), which provided management and IT services to six skilled nursing facilities agreed to pay $650,000 as part of its settlement.
OCR found that CHCS had not conducted “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by CHCS” since the HIPAA Security Rule was implemented.