By ROLF LOWE
Wachler & Associates

The Department of Health and Humans Services (HHS) Office for the National Coordinator for Health Information Technology (NCHIT) and the Office of Civil Rights (OCR) will be releasing a new version of the Health Insurance Portability and Accountability Act (HIPAA) Security Risk Assessment Tool (SRA Tool) in the upcoming weeks. The SRA Tool is primarily designed to assist small to medium sized health care providers and the requirement to perform a risk analysis.

The requirement for covered entities to perform a risk analysis is part of the HIPAA security standards and can be found in the federal regulations delineating the administrative safeguards covered entities must comply with.  Administrative safeguards are defined as “Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (PHI) and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”

A risk analysis, or risk assessment as it is often referred to, requires covered entities to conduct an accurate and thorough assessment of potential risks and vulnerabilities of the confidentiality, integrity, and availability of electronic PHI created and maintained by the covered entity, or any of its business associates.  The risk assessment should be designed and tailored to the covered entity’s operations. Factors to consider in developing a risk assessment include:

  • The covered entity’s size and complexity of its operations
  • The technical infrastructure, hardware and software security capabilities
  • The likelihood and severity of any potential risks to the covered entity’s electronic PHI
  • The relative costs of security measures incurred by the covered entity in comparison to its fiscal capabilities

While a risk analysis is a requirement for all covered entities, when it comes to certain security measures covered entities may consider cost in deciding whether to adopt any standard or addressable implementation specifications but cannot use cost alone as a basis for choosing whether to do so. Covered entities should document their decision making in this area since it may be necessary to provide supporting documentation either during an audit of their administrative safeguards, or in the event of a HIPAA disclosure or breach of PHI and a need to prove an assessment was performed and to support its decision to not address certain security measures.

With the understanding that conducting a risk analysis can be a significant burden and cost to certain covered entities, OCR developed a SRA Tool over a decade ago to primarily help small and medium sized covered entities and business associates. The latest SRA Tool is version 3.5 and is available at HealthIT.gov. Version 3.5 contains updates and enhancements to the previous version based on input NCHIT and OCR received from user feedback and public input. Some of the updated features and enhancements include new content on mitigating organizational threats and vulnerabilities, risks related to an organization’s supply chain, references to the Healthcare and Public Health Cybersecurity Performance Goals and updated references to the National Institute of Science and Technology’s latest version of Cybersecurity Framework (version 2.0).

The performance of a risk analysis is just one component of HIPAA’s compliance requirements but as stated previously, it is often one of the first things a provider or business associate will be asked for in any audit or enforcement action initiated against it. A risk analysis may also be helpful in the event of any litigation resulting from a breach or disclosure. Typically, a risk analysis is done on an annual basis, or whenever there may be a significant change in the organization’s operations. Changes to operations may include any updates to critical information technology services or software, a sale or merger introducing and/or combining workforce members to the entity or significant changes to the covered entity’s supply chain and business associates. A risk analysis should also be a component of an organization’s third-party risk management plan.

For additional information or assistance please contact Rolf Lowe of Wachler & Associates at (248) 544-0888 or [email protected].