OCR Releases New HIPAA Security Risk Assessment Tool

By Kate Stewart, Cassandra L. Paolillo

In a move that underscores the growing urgency around health care cybersecurity, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released version 3.6 of its Security Risk Assessment Tool (SRA Tool).  The SRA Tool is a free resource designed to help covered entities and business associates conduct HIPAA-compliant security risk assessments.  It is particularly focused on small and medium-sized providers and can be a useful tool for any smaller entity subject to HIPAA.  Non-provider entities, including business associates, may need to make modifications to the tool to fit their operations and security infrastructure. 

This update improves the usability of the tool, including by adding a “reviewed by” feature to allow organizations to track internal approvals of components of the security risk assessment.  Corresponding changes to the SRA Tool’s report function allow organizations to document their internal review and approvals. 

HIPAA covered entities and their business associates should take this as yet another reminder of the importance of conducting a security risk assessment as a critical component of HIPAA compliance and as a risk mitigation strategy.  OCR has continued to be laser-focused on the lack of comprehensive security risk assessments in its breach investigations, going so far as to launch its “Risk Analysis Initiative” last fall.  Time after time, OCR has highlighted that the organizations that have experienced data breaches failed to conduct (or update) their security risk assessments or failed to remediate issues identified.  OCR, in collaboration with the National Institute of Standards and Technology (NIST) and other agencies, has published a number of guidance materials to assist HIPAA regulated entities to understand their obligations under the HIPAA Security Rule, which are compiled here.

Upcoming Webinars

OCR and the Assistant Secretary for Technology Policy (ASTP) will host live webinars on September 15 at noon ET and September 16 at 3pm ET to walk through the new features and answer questions. Recordings of the webinars will be made available for those who cannot attend live.  Based on past webinars, attendees will get the most value out of the webinar if they have already downloaded the updated Tool and associated user guide ahead of time. 

Subscribe To Viewpoints

Published

    • Viewpoint Topics

  • Health Care
  • Health Information Privacy & Security

    • Professionals

  • Kate Stewart
  • Cassandra L. Paolillo

    • Related Practices

  • Health Information Privacy & Security

    • Related Industries

  • Health Care
  • Digital Health
    • Health Care Viewpoints Thumbnail

    OCR Proposes Sweeping HIPAA Security Rule Amendments

    December 30, 2024| Blog|

    Health Care Viewpoints Thumbnail

    Have You Updated Your HIPAA Security Risk Assessment Lately?

    September 29, 2021| Blog|

    Authors

    Kate Stewart

    Kate Stewart

    Of Counsel

    Kate F. Stewart is Of Counsel at Mintz and a former in-house counsel who focuses on legal issues affecting health care clients, including digital health and privacy regulations, clinical trial compliance, and transactions for for-profit and nonprofit clients. She represents traditional health care providers, payors, and digital health start-ups.
    Cassandra L. Paolillo

    Cassandra L. Paolillo

    Of Counsel

    Cassandra L. Paolillo is Of Counsel at Mintz whose practice involves advising health care clients on transactional and regulatory matters, including mergers and acquisitions, regulatory compliance, and general contracting. Cassie primarily works with providers and payors.