Security risk assessment tool updated for smaller practices

All HIPAA-covered entities and their business associates are required to conduct an initial comprehensive security risk assessment to identify “potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information,” the federal privacy rule states. Achieving and maintaining the security of PHI is not only a requirement of the rule but a way to help prevent costly data breaches.

Small- to medium-sized health care practices with one to 10 providers now have an upgraded tool that is specifically designed to assist them with completing this assessment. The U.S. Department of Health and Human Services’ Office of Civil Rights released a version of its security risk assessment tool — the SRA 3.0 — to make it easier to use and to apply more broadly to possible risks to health information.

Along with an enhanced user interface, new features were built into the SRA 3.0, including:

  • Detailed reports
  • Improved rating of threats and vulnerabilities
  • Progress tracker
  • Business-associate and asset tracking

The OCR launched the SRA 3.0 in October 2018 after conducting and analyzing comprehensive usability testing of the previous version (2.0). Health care practice managers completed certain tasks in SRA 2.0 and then repeated the same tasks with the SRA 3.0 for a comparison of user experience. The result, the OCR says, was an overall improvement of the user experience.

With the new detailed reports, for example, results of the risk assessment are displayed to help practice managers determine risks in existing policies, processes and systems. While performing the assessment, the user receives suggested methods for mitigating these security risks.

Currently, SRA 3.0 is only available for Microsoft Windows operating systems. Any practices using iPads may still download the previous version of the tool from the Apple App Store. Both versions of the SRA are free to use or download.

CDA Regulatory Compliance Analyst Teresa Pichay reminds HIPAA-covered dental practices that after the initial comprehensive risk assessment is completed, they are not required to perform the risk assessment annually. “They can instead do periodic gap analyses,” she said, but they must perform a comprehensive risk assessment when the data security environment or the entity’s information system, policies and procedures have “significantly changed since the last assessment.”

Dental practices can download the SRA 3.0 from the Office of the National Coordinator for Health Information Technology.

Related Items

HIPAA violation affects 3K patients, nurse suspended
Action items for practice owners and associate dentists
The recent license suspension of a former University of Rochester Medical Center nurse for violating the Health Information Portability and Accountability Act is a reminder to HIPAA-covered dental practice owners and associate dentists of their requirements under HIPAA’s Privacy Rule. A Rochester, New York, newspaper reported in June that the nurse gave to her new employer spreadsheets containing personally identifiable information of about 3,000 patients without the patients’ permission.

What do Anthem, Yahoo, LinkedIn and JP Morgan Chase have in common? If you guessed that they were all victims of some of the world’s largest data breaches, you’d be correct. From insurance carriers to retailers, financial institutions to the U.S. military, all organizations that have an online presence are subject to cyber-related risks and the reputational damage and loss of consumer trust that follow.