Last week, the Department of Health and Human Services (HHS) released a new, free, downloadable tool to assist small and medium-size health care provider offices to conduct security risk assessments (SRA).[1]

SRAs are required of Health Insurance Portability and Accountability Act (HIPAA) covered entities, as part of the HIPAA Security Rule. They are also required of providers seeking electronic health record incentive payments. The purpose of a SRA is to identify aspects of Electronic Protected Health Information (EPHI) systems—protected health information covered under HIPAA and produced, saved, transferred or received in electronic form—in need of new or improved security controls.

In general, the Security Rule is concerned with safeguarding the confidentiality, integrity, and availability of EPHI. Are there conditions, for example, where EPHI could be disclosed without proper authorization? Improperly modified? Where vulnerabilities are identified, providers are required to adopt or modify protections.

The new software is intended to provide guidance in understanding implementation requirements of the HIPAA Security Rule. How does it work? The SRA tool includes 156 yes-no questions on technical, physical and administrative specifications. For every answer, the tool indicates whether corrective action is necessary. The application produces a summary report that users have the option of saving.

As the adoption of electronic devices in healthcare settings grow and their applications expand, any additional guidance is likely to be useful. However, the summary produced by the new tool is not a statement of compliance. It is unlikely able to, and is not meant to, singularly replace all other SRA tools and resources.

HHS disclaimers attached to the new tool emphasize its limited applicability:

The Security Risk Assessment Tool at is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.

NOTE: The NIST Standards provided in this tool are for informational purposes only as they may reflect current best practices in information technology and are not required for compliance with the HIPAA Security Rule’s requirements for risk assessment and risk management. This tool is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool.

Although use of the SRA tool cannot be relied upon to demonstrate unassailable compliance with the Security Rule’s risk analysis requirement, providers will undoubtedly appreciate its user-friendliness. In addition, reliance on a government-developed tool could prove to be protective in the event of a HIPAA breach, OCR complaint investigation or audit, criminal investigation or lawsuit.

HHS is accepting public comments on the new SRA tool at The deadline for submitting comments is June 2, 2014.


[1] Downloadable versions of the tool and additional information are available here.