OCR and ONC Bolster the Security Risk Assessment (SRA) Tool with New Features and Improved Functionality
Patients expect not only quality health care to keep them healthy, but also trust that their most sensitive health information will be protected from threats and vulnerabilities that could lead to the compromise of one's health information. An enterprise-wide risk analysis is not only a requirement of the HIPAA Security Rule, it is also an important process to help healthcare organizations understand their security posture to prevent costly data breaches. What is an enterprise-wide risk analysis? It is a robust review and analysis of the risks to the confidentiality, integrity, and availability of electronic health information -- across all lines of business, in all facilities, and in all locations.
The HHS Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have updated the popular Security Risk Assessment (SRA) Tool to make it easier to use and apply more broadly to the risks to health information. The tool is designed for use by small to medium sized health care practices – those with one to 10 health care providers – covered entities, and business associates to help them identify risks and vulnerabilities to ePHI. The updated tool provides enhanced functionality to document how such organizations can implement or plan to implement appropriate security measures to protect ePHI.
ONC and OCR conducted comprehensive usability testing of the SRA tool (version 2.0) with health care practice managers. Analysis of the findings across the user base informed the development of the content and the requirements for the SRA Tool 3.0. ONC and OCR then conducted testing of the SRA tool 3.0 to compare the user experience in completing the same tasks presented in the first round of testing. You'll find the tool to be more user friendly, with helpful new features such as:
- Enhanced User Interface
- Modular workflow with question branching logic
- Custom Assessment Logic
- Progress Tracker
- Improved Threats & Vulnerabilities Rating
- Detailed Reports
- Business Associate and Asset Tracking
- Overall improvement of the user experience
Using a Windows operating system? Download the Windows version of the tool at http://www.HealthIT.gov/security-risk-assessment. The iOS iPad version was not updated, but the previous version is available at the Apple App Store exit disclaimer icon (search under "HHS SRA Tool").
And don't forget to explore the SRA Tool's website, which provides a revised User Guide to help you get started.
Remember: All HIPAA covered entities and business associates are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by their organization. If you haven't conducted a recent enterprise-wide risk analysis, now is the time to download the HHS SRA Tool to help with this foundational element upon which the security activities necessary to protect ePHI are built.
759