HHS unveils new HIPAA security tool

Aimed to help smaller providers with risk analysis process

For small- to mid-sized healthcare organizations looking for help with HIPAA security risk assessment, you now have a new tool at your fingertips. 
 
Officials at the HHS' Office for Civil Rights -- the division responsible for enforcing HIPAA -- have said risk analysis tops the list for where healthcare entities often make their biggest HIPAA misstep. Thus, in efforts to provide further guidance, OCR teamed up with ONC to develop a new security risk assessment tool designed to help practices conduct and document a risk assessment in a methodical, organized way. 
 
[See also: Groups to pay $4M for privacy offense.]
 
Healthcare providers can download the application, which can also generate a report that can be passed on to auditors, officials say.  
 
As part of the HIPAA privacy and security rules, organizations handling protected health information must regularly review administrative, physical and technical safeguards they have in place to protect the security of the data. By conducting these risk assessments, healthcare providers can identify potential weaknesses in their security policies, processes and systems, OCR officials point out. Risk assessments can also help providers address vulnerabilities, potentially preventing data breaches or other adverse security events. 
 
Conducting a security risk assessment is a key requirement of the HIPAA Security Rule and a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, federal officials note.
 
[See also: Ready or not: HIPAA gets tougher today.]
 
"Protecting patients' protected health information is important to all healthcare providers, and the new tool we are releasing today will help them assess the security of their organizations," said Karen DeSalvo, MD, national coordinator for health information technology, in a March 28 statement. "The SRA tool and its additional resources have been designed to help healthcare providers conduct a risk assessment to support better security for patient health data."
 
Susan McAndrew, deputy director of OCR's division of health information privacy, said she and her team were pleased to have worked with ONC on this project. "We believe this tool will greatly assist providers in performing a risk assessment to meet their obligations under the HIPAA Security Rule," she said in a press statement. 
 
The SRA tool's website contains a user guide and tutorial video to help providers begin using the tool. Videos on risk analysis and contingency planning are available at the website to provide further context.
 
When Healthcare IT News spoke with then OCR chief Leon Rodriguez last fall, he said the biggest mistake HIPAA-covered entities and business associates make with regards to HIPAA is the "failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis." 
 
[See also: 4-year long HIPAA breach uncovered.]
 
To date, more than 30 million people have had their protected health information compromised in a HIPAA privacy or security breach, according to data from the U.S. Department of Health and Human Services. HIPAA-covered entities have handed over some $18.6 million to settle alleged federal HIPAA violations, with $3.7 million of that just from last year. And those don't count state fines. 
 
Just this week, Stanford Medicine, together with its business associate Multi-Specialty Collection Services were required to hand over $4.1 million in a class action settlement after violating California's medical privacy law after MSCS wrongfully posted the PHI of some 20,000 patients to a student website for nearly a year.