On March 28, HHS released new resources on risk analysis requirements under the HIPAA Security Rule. The HIPAA Security Rule governs how electronic individually identifiable health information is maintained by covered entities and business associates. In short, it requires covered entities and business associates to implement certain physical, administrative, and technical safeguards to protect the confidentiality and integrity of electronic protected health information (e-PHI).
A provision of the Security Rule requires covered entities and business associates to conduct a risk assessment, in which they review the safeguards currently in place and identify potential vulnerabilities in security policies, processes, and systems. To help organizations comply with this sometimes onerous requirement, HHS has released an online template that will walk users step-by-step through the questions that must be asked as part of a required risk assessment. HHS notes that the tool will help entities document the current state of their security system as well as develop proper risk remediation plans.
The online tool can be downloaded from the website of the Office of the National Coordinator for Health Information Technology and accessed via a laptop or iPad. HHS also released paper-based tools for each safeguard required by the Security Rule: administrative, technical, and physical. HHS also offers instructional videos that provide more information on this new tool and on risk assessments in general.
This recent guidance by HHS is a good reminder for all covered entities and business associates to update their HIPAA policies to ensure compliance with all aspects of the Security Rule and likely gives insight into what HHS considers the floor in terms of a compliant risk assessment. As of September 2014, all business associates are expected to comply with this section of HIPAA. Even for entities that have conducted a risk assessment in the past, HHS requires periodic updates to risk assessments to ensure that they are up to date.