HHS’s Newly Updated Security Risk Assessment Tool Helps Entities Better Protect Electronic Health Information
November 2, 2023
In September, the U.S. Department of Health and Human Services Office for Civil Rights and Office of the National Coordinator for Health Information Technology announced the release of an updated Security Risk Assessment Tool. The tool is designed to make it easier for entities and business associates covered under HIPAA to understand and remediate risks to electronic health information.
In an effort to assist small and medium-sized entities covered under the Health Insurance Portability and Accountability Act (HIPAA) understand and remediate risks to electronic health information, in September, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) announced the release of an updated tool.
According to OCR and ONC, the updated Security Risk Assessment (SRA) Tool assists users in meeting their responsibility to protect electronic health information under the HIPAA Security Rule and its risk analysis provision. The update comes amid continued efforts from OCR to ensure compliance with the Security Rule through enforcement actions and proactive measures, such as educating covered entities on best practices for safeguarding health information.
HIPAA’s Security Rule risk analysis provision requires covered entities and business associates to conduct “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of their electronic protected health information (e-PHI). Many state, county, and local health departments are HIPAA covered entities and therefore are subject to the Security Rule and must conduct an accurate enterprise-wide risk analysis under this provision.
According to the SRA Tool user guide, the tool is a free, interactive program that guides users through a series of questions about basic security practices, security failures, risk management, and personnel issues. The tool indicates whether corrective action is appropriate based on users’ answers. Among other changes, the updated version includes a new “Remediation Report” feature for documenting plans to remediate risks identified by the tool.
As explained in the user guide, the Remediation Report identifies all questions answered in a manner indicating risk and provides a space for documenting appropriate corrective action. For example, if a health department’s answers indicate that it lacks procedures for reviewing access to systems containing e-PHI, the Remediation Report provides a space for recording plans to implement appropriate procedures, identifying a target due date for remediation activity, and tracking completion. The new version additionally includes an interactive glossary of terms and integrates information from the Health Industry Cybersecurity Practices Technical Volume 1, a compilation of health care cybersecurity practices developed for small organizations by HHS.
The release of the updated SRA Tool follows several recent enforcement actions brought against covered entities by OCR for noncompliance with the Security Rule and the risk analysis provision in particular. In September 2023, OCR entered into a settlement agreement with a publicly operated health plan to resolve potential violations of the Security Rule, including a “failure to conduct an accurate and thorough risk analysis.” The health plan agreed to pay $1.3 million and to conduct a risk analysis as part of a corrective action plan.
In recent years, health departments have also been the subject of Security Rule enforcement actions involving noncompliance with the risk analysis provision. A city health department, for example, entered into a settlement agreement with OCR following a 2017 breach of e-PHI. In its investigation of the incident, OCR determined that the health department failed to conduct a risk analysis, as required by the Security Rule, resulting in unmitigated vulnerabilities. The health department agreed to implement a corrective action plan, under which it would conduct a “comprehensive and thorough Risk Analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of [e-PHI].”
These and other enforcement actions highlight the difficulty faced by some organizations in fulfilling their obligations to safeguard e-PHI. In the overview of the updated risk analysis tool, OCR and ONC recognize that many small and medium-sized organizations have limited budgets, resources, and staff to conduct assessments of constantly evolving risks. Because it provides a free method for conducting a risk analysis, the SRA Tool may be a valuable resource for such entities for whom compliance with the risk analysis standard is burdensome. However, as the SRA Tool is designed for small to medium-sized entities, it may be of limited utility for larger entities, such as larger health departments with a greater number of devices and more complex systems.
The Network has developed additional resources to support entities in complying with HIPAA and protecting individuals’ health information while utilizing data to advance public health. More information from OCR and ONC on the updated risk analysis tool is available here.
This post was written by Emma Kaeser, Staff Attorney, Network for Public Health Law – Mid-States Region. The Network for Public Health Law provides information and technical assistance on issues related to public health.
The legal information and assistance provided in this document do not constitute legal advice or legal representation. For legal advice, readers should consult a lawyer in their state. Support for the Network is provided by the Robert Wood Johnson Foundation (RWJF). The views expressed in this post do not represent the views of (and should not be attributed to) RWJF.