Kusserow on Compliance: New HIPAA risk analysis tool released

The HHS Office for Civil Rights (OCR) and Office of the National Coordinator of Health Information Technology (ONC) released a new jointly developed downloadable Security Risk Assessment (SRA) Tool to assist providers and professionals to perform HIPAA compliance risk assessments. It was designed primarily for small and medium-sized covered entities and business associates. The Tool is a self-contained, operating system (OS) independent application that is available at no cost, can be downloaded from Apple’s App Store. It guides users through each HIPAA requirement by presenting questions answerable as “yes” or “no” to indicate if there is a need for corrective action for any of the 156 question items. Guidance provides assistance in:

  • Understanding the context of the question
  • Considering the potential impacts to your PHI if the requirement is not met
  • Seeing the actual safeguard language of the HIPAA Security Rule

The Tool can serve as the local repository for the information and does not send your data anywhere else. At any time during the risk assessment process, you can pause to view your current results. The results are available in printable PDF and Excel formats. For details on how to use the tool, download the SRA Tool User Guide. A paper-based version of the tool is also available:

Camella Boateng, an experienced HIPAA consultant, makes the point that “Covered Entities and Business Associates are not mandated to use this tool; however they are required to conduct regular, organization-wide risk analyses for HIPAA compliance. Much of my work over the last year has been assisting clients in conducting a system-wide HIPAA compliance reviews. Using the tool greatly assists in doing this. If you monitor the OCR website, it is clear from the many recent HIPAA enforcement actions that many organizations have not performed such analyses properly.”

Suzanne Castaldo, JD, notes, “OCR can be counted upon to include review of risk analyses of organization during the Phase 2 HIPAA audits and that results from these reviews will result in many Business Associates being notified of having a desk audit before the end of this year. OCR plans following up with field audits for both Covered Entities and Business Associate beginning in 2017 that will have twin objectives of learning more about HIPAA compliance in general, as well as having some of the audits finding cases that warrant becoming enforcement investigations of HIPAA violations.”

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.