HIPAA Security Risk Assessment Tool

In an effort to aid entities in satisfying HIPAA compliance requirements, the Department of Health and Human Services Office and Civil Rights and National Coordinator for Health Information Technology jointly released a risk assessment tool on Friday, March 28th.  The tool is available on the ONC’s website.  The tool is intended to help entities perform the risk assessment required by the HIPAA Security Rule.  The tool can be downloaded and will produce a report that may be provided to auditors in the event of an audit.

As stated above, the tool may be useful in helping entities perform the risk assessment required by the HIPAA Security Rule.  The risk assessment can be a difficult requirement to meet.  Some amount of attention has been given to the issue recently because entities are not always performing the assessment.  In particular, a risk assessment is also required when attesting to Meaningful Use and some providers were caught in non-compliance when audited.

As quoted in the release, Karen DeSalvo, M.D., the head of ONC, stated: “Protecting patients’ protected health information is important to all health care providers and the new tool we are releasing today will help them assess the security of their organizations.”

While the tool may be helpful, entities should be careful in solely relying upon it.  The ONC’s webpage includes a disclaimer that it is for informational purposes only and no guarantee is provided that it complies with all applicable laws.  In light of that disclaimer and good practice, entities should still seek appropriate advice and guidance to ensure a risk assessment is performed in compliance with the requirements of HIPAA.


About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Health IT, HIPAA, Regulations, Uncategorized and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s