In the wake of the record setting $16 Million dollar settlement and resolution agreement with Anthem, Inc, the Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) released a new version of their Security Risk Assessment tool. The new tool and recent settlement agreement renew the emphasis of OCR on the performance of HIPAA Security Risk Assessments by covered entities and their business associates.
The new tool provides a more user friendly format for an organization to step through common threats and vulnerabilities to be addressed under the HIPAA Security Rule. Unlike the prior version, the updated tool also provides summary information in a format that supports identification of areas for improvement, based on the organization’s response to questions and NIST best practice guidance. The updated tool also provides a method for a covered entity or business associate to document an asset inventory and business associate agreement list, both of which are key documents to ensuring a comprehensive risk assessment process.
While many organizations will have a risk assessment process that incorporates legal counsel and security experts, this tool provides a do-it-yourself process for smaller organizations and can be the foundation for additional assessment by larger organizations.