HHS Announces Self-Assessment Tool for HIPAA Security Compliance

April 29, 2014 – The Office of the National Coordinator for Health Information Technology (ONC) recognizes that conducting a risk assessment can be a challenging task. That’s why ONC, in collaboration with the HHS Office for Civil Rights (OCR) and the HHS Office of the General Counsel (OGC), developed a downloadable SRA Tool to help guide covered entities through the process.
 
http://healthit.gov/sites/default/files/SRATool_desktop_v1.3.exe
 
This tool is not required by the HIPAA Security Rule, but is meant to assist providers and professionals as they perform a risk assessment.
 
The SRA Tool is a self-contained, operating system (OS) independent application that can be run on various environments including Windows OS’s for desktop and laptop computers and Apple’s iOS for iPad only. The iOS SRA Tool application for iPad, available at no cost, can be downloaded from Apple’s App StoreWeb Site Disclaimers.
 
The SRA Tool takes a covered entity through each HIPAA requirement by presenting a question about the  organization’s activities. Its “yes” or “no” answer will show the covered entity if it needs to take corrective action for that particular item. There are a total of 156 questions.
 
Resources are included with each question to help the covered entity:
•    Understand the context of the question
•    Consider the potential impacts to its PHI if the requirement is not met
•    See the actual safeguard language of the HIPAA Security Rule

The covered entity can document its answers, comments, and risk remediation plans directly into the SRA Tool. The tool serves as your local repository for the information and does not send your data anywhere else.
 
Completing a risk assessment requires a time investment. At any time during the risk assessment process, the covered entity can pause to view its current results.
 
The results are available in a color-coded graphic view (Windows version only) or in printable PDF and Excel formats.
 
For details on how to use the tool, download the SRA Tool User Guide
 
http://www.healthit.gov/sites/default/files/risk_assessment_user_guide_final_3_26_2014.pdf
 
A paper-based version of the tool is also available:
 
AdministrativeSafeguards: http://www.healthit.gov/sites/default/files/20140312_sratool_content_-_administrative_volume_v1.docx
 
Technical Safeguards: http://www.healthit.gov/sites/default/files/20140320_sratool_content_-_technical_volume_v1.docx
 
Physical Safeguards: http://www.healthit.gov/sites/default/files/20140318_sratool_content_-_physical_volume_v1.docx