Privacy & Information Security Law Blog

On March 28, 2014, the Department of Health and Human Services’ (“HHS’”) Office for Civil Rights (“OCR”) released a tool to assist covered entities in complying with the HIPAA Security Rule requirement to conduct a risk assessment. The HIPAA Security Rule obligates covered entities to accurately and thoroughly assess “the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information” (“PHI”) they maintain. The tool, which is aimed at small to medium health care providers, was developed jointly by OCR and the HHS Office of the National Coordinator for Health Information Technology (“ONC”), and follows the National Institute of Standards and Technology’s development of a similar toolkit.

The tool contains 156 questions and resources that are designed to help health care providers:

• Understand the context of each question;
• Consider the potential impacts to PHI if certain HIPAA Security Rule requirements are not met; and
• View the actual text of the HIPAA Security Rule.

HHS also developed a user guide and instructional videos to supplement the tool. Health care providers can store their answers and comments in the tool and view their current results at any time.

Upon its release, Susan McAndrew, Deputy Director of OCR’s Division of Health Information Privacy, noted that the tool “will greatly assist providers in performing a risk assessment to meet their obligations under the HIPAA Security Rule” while Karen DeSalvo, National Coordinator for Health Information Technology, commented that “[p]rotecting patients’ protected health information is important to all health care providers and the new tool we are releasing today will help them assess the security of their organizations.”