In an effort to aid entities in satisfying HIPAA compliance requirements, the Department of Health and Human Services Office and Civil Rights and National Coordinator for Health Information Technology jointly released a risk assessment tool on Friday, March 28th. The tool is available on the ONC’s website. The tool is intended to help entities perform the risk assessment required by the HIPAA Security Rule. The tool can be downloaded and will produce a report that may be provided to auditors in the event of an audit.
As stated above, the tool may be useful in helping entities perform the risk assessment required by the HIPAA Security Rule. The risk assessment can be a difficult requirement to meet. Some amount of attention has been given to the issue recently because entities are not always performing the assessment. In particular, a risk assessment is also required when attesting to Meaningful Use and some providers were caught in non-compliance when audited.
As quoted in the release, Karen DeSalvo, M.D., the head of ONC, stated: “Protecting patients’ protected health information is important to all health care providers and the new tool we are releasing today will help them assess the security of their organizations.”
While the tool may be helpful, entities should be careful in solely relying upon it. The ONC’s webpage includes a disclaimer that it is for informational purposes only and no guarantee is provided that it complies with all applicable laws. In light of that disclaimer and good practice, entities should still seek appropriate advice and guidance to ensure a risk assessment is performed in compliance with the requirements of HIPAA.