Are You Using the HHS HIPAA Security Risk Assessment Tool? Be Sure to Get the 2019 Update
The U.S. Department of Health and Human Services (HHS) recently released an update to its Security Risk Assessment Tool for Windows operating systems. (The tool is not available for Mac OS, but an older version is still available for iPad.)
About the Tool
The purpose of the tool is to help small and medium sized healthcare providers perform the required risk assessment relating to the security of personal health information (PHI), including electronic PHI (ePHI). If you aren’t already using it, you can download the tool here for Windows devices.
There are a lot of government organizations involved, but basically here’s what’s behind the tool:
- Health Insurance Portability and Accountability Act (HIPAA) Security Rule: Covered entities (and their business associates with access to protected information) are required to conduct a risk assessment of their organization to ensure it is compliant with HIPAA safeguards. These fall into three categories: physical, administrative and technical.
- HHS Office for Civil Rights (OCR) collaborates with the Office of the National Coordinator for Health Information Technology (ONC): The two organizations worked together to design the Security Risk Assessment (SRA) Tool to guide healthcare providers through the risk assessment process.
- Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program:CMS added a security risk analysis to the incentive program and specified the parameters laid out in the HIPAA Security Rule, listing the tool developed by ONC and OCR as a resource.
When information is entered into the tool, it is stored on the user’s computer or tablet, but it is not transmitted to HHS. After all information is entered, a report is generated that helps the user determine where there are risks in their processes, policies or systems. Methods for resolving issues are also provided.
What’s in the Update?
The tool is updated annually, and the features added to the newest version are based on user requests. HHS hasn’t provided a list yet, but according to HIPAAJournal.com, these include:
- Threat and vulnerability validation
- Incorporation of NIST Cybersecurity Framework references
- Improved asset and vendor management
- Question flagging and a new Flagged Report
- Ability to export Detailed Reports to Excel
- Fixes for several reported bugs to improve stability
It’s important to note that the tool can’t guarantee compliance, and results will only be as good as the effort that goes in to inputting complete and accurate information, so the more seriously it is used, the better the outcome will be.
Medcare MSO is a full-service medical revenue cycle management (RCM) company. Give us a call today at 800-640-6409 to find out how we can streamline not only your medical billing but all of your credentialing and compliance needs at surprisingly affordable rates.