ONC and OCR Introduce Revised Security Risk Assessment Tool

The Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS)’ Office of the National Coordinator for Health Information Technology (ONC) have launched a more recent version of the HHS Security Risk Assessment (SRA) Tool.

The HIPAA Security Rule mandates HIPAA-regulated entities to perform an extensive, organization-wide risk assessment to find the risks and vulnerabilities to the integrity, availability, and confidentiality of electronic protected health information (ePHI). All threats determined must then be the subject of risk management procedures to decrease the recognized risks and vulnerabilities to a low and tolerable level.

Risk analyses are essential for HIPAA compliance. They allow HIPAA-covered entities to figure out if they are compliant with the administrative, technical and physical controls of the HIPAA Security Rule and enable them to determine the most efficient and proper physical, technical, and administrative measures to secure ePHI. Investigations and reviews of HIPAA-controlled entities have revealed that risk assessment is a part of compliance that numerous healthcare providers are not able to get right, and it is one of the most frequently mentioned HIPAA violations in OCR implementation activities.

In 2014, ONC and OCR together developed and introduced the SRA Tool to support small- and medium-sized healthcare practices and business associates with this essential facet of compliance with the HIPAA Security Rule. The SRA tool is a downloadable program that may be employed to lead HIPAA-governed entities through the risk analysis process. The SRA Tool is a desktop program that utilizes a wizard-based strategy with multiple-choice questions, threat and vulnerability evaluations, and asset and vendor management, and guides users through the procedure of security risk assessment.

The SRA tool has been revised over the years, with the most recent version adding new functions to respond to user comments and public insight. Those capabilities include the incorporation of Health Industry Cybersecurity Practices (HICP) references, file relationships in Windows, enhanced reports, bug fixes, and stability enhancements.

ONC and OCR have additionally created a new SRA Tool Excel Workbook, which is meant to substitute the legacy paper version of the SRA Application. The workbook consists of conditional formatting and formulas to calculate and help determine the risk in the same way as the SRA Tool software and is a good option for users who don’t have Microsoft Windows.

ONC and ORC state that the use of the software does not guarantee HIPAA compliance but could help them attain compliance. The tool was created for SMBs, and may not be suitable for larger healthcare organizations.

The SRA application, which is available for download on this page, may be installed as an app on 64-bit versions of Microsoft Windows 7/8/10/11. The new SRA Tool Excel Workbook can be utilized on other operating systems.