OCR Updates HIPAA Assessment Tool
By Greg Freeman
The Office for Civil Rights (OCR) has updated a self-assessment tool that covered entities can use to determine how well they are complying with HIPAA, and the new version presents an opportunity to see how useful the resource can be.
All covered entities are required to conduct a security risk analysis, which is an assessment of the potential risks and vulnerabilities to the entity’s protected health information (PHI), explains Erin Dunlap, JD, an attorney with Coppersmith Brockelman in Phoenix. This assessment can be done internally, or an organization can hire an outside vendor to perform it. While HIPAA does not require an organization to conduct a risk analysis annually, OCR has stated that a risk analysis should be performed as the environment changes, such as when new technologies or business operations are implemented.
To help small- and medium-sized organizations comply with the risk analysis obligation, OCR provides an online tool called the Security Risk Assessment Tool (SRA Tool). Prior versions of the SRA Tool were not very user-friendly, Dunlap says. They were cumbersome, and personnel did not understand the questions or what steps were necessary in response to an identified risk and how to document those steps. The “new and improved” version of the SRA Tool (version 3.4) is much easier to use, Dunlap says.
The updated SRA Tool includes several new features, including a glossary page, embedded tips, and a remediation report that allows users to track responses to vulnerabilities inside the tool, such as assigning an owner and completion date and linking documents. OCR also updated references and links, added a content version warning that alerts users if they are working in an old file, and generally improved usability.
However, Dunlap notes these limitations to consider:
- The updated tool can only be downloaded on computers running Microsoft Windows 7/8/10/11 (Apple and Mac users are encouraged to use the SRA Tool Excel Workbook available at the same link as the SRA Tool).
- Administrative rights are required to run the tool.
- Multiple users can access the tool (and users and changes are tracked), but only one user can access the tool at a given time.
- An audit date will only be changed if the response is changed.
- All information entered in the tool must be stored locally on the user’s computer. (OCR does not store any information entered in the SRA Tool.)
“If your organization is subject to HIPAA and has not performed a risk analysis or needs to perform another risk analysis because there was a change to the ePHI environment, you should consider using or at least reviewing the updated SRA Tool before spending time and resources developing your own process or hiring an outside vendor,” Dunlap explains. “If your organization receives a data request from OCR because you experienced a breach or someone filed a complaint, OCR will likely ask for the most recent risk analysis. It is prudent to have a current and thorough risk analysis on file.”
More Useful Tool
OCR is trying to make the tool more robust, says Jordan T. Cohen, JD, partner with Akerman in New York City. The tool will be most useful for small- to medium-sized covered entities because large entities tend to have more complicated systems to assess.
“What OCR is really trying to do here is give everyday healthcare providers a tool to help them comply with their risk analysis requirements. Year in and year out, failure to conduct an appropriate risk analysis is probably the biggest issue that OCR sees when they’re investigating breaches,” Cohen says. “It really grinds their gears.”
It is important to remember that HIPAA security risk analysis is not meant to be a one-and-done proposition, whether the organization uses the OCR/Office of the National Coordinator for Health Information Technology (ONC) SRA Tool, consultants, or other mechanisms in performing the analysis, says Lynne Rinehimer, a manager with symplr, a healthcare operations company based in Houston. When it comes to security and technology, changes happen with regularity, so ongoing risk analysis will be necessary.
The organization needs to determine at what frequency it will conduct risk assessments — most likely annually — and commit to that schedule in the form of a policy and procedure, Rinehimer says. This also should include circumstances that would require the organization to deviate from the schedule it defines, such as a system change.
Because the SRA Tool can be downloaded for free, it provides the opportunity for organizations to better own their assessment process, Rinehimer says. Using outside consultants or software is not always a viable option for smaller organizations.
“In its Guidance on Risk Analysis, HHS establishes that OCR and ONC will be holding training sessions and overview of the SRA tool,” Rinehimer says. “Organizations that have not previously used the SRA Tool or those that could use a refresher should strongly consider utilizing the training materials/recordings to maximize its use.”
A comprehensive review by a qualified third-party consultant is always recommended, but if it is cost-prohibitive, the SRA Tool can be an effective means of performing a HIPAA risk assessment, says Layna Cook Rush, CIPP/US, CIPP/C, shareholder with Baker Donelson in Baton Rouge, LA.
“It is imperative, however, that the response to the questions in the tool be thorough and accurate. All key workforce members should be involved in the process,” Rush says. “Also, many entities conduct a risk assessment without preparing a corresponding management plan. The HIPAA Security Rule requires that regulated entities do both.”
The SRA Tool is only as good as the responses the entity provides to the questions, Rush notes. It can provide a valuable resource and help assess compliance issues if the entity takes the time to respond completely and accurately to the questions and formulate a corresponding management plan to respond to the vulnerabilities identified.
The Office for Civil Rights has updated a self-assessment tool that covered entities can use to determine how well they are complying with HIPAA, and the new version presents an opportunity to see how useful the resource can be.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.