Health Information Technology Fo

What is security risk assessment?

June 20, 2014
A new security risk assessment tool from the U.S. Department of Health and Human Services will assist health-care providers in small- to medium-sized offices conduct assessments of their organizations. Maria Perno Goldie, RDH, MS, provides more information about the tool.
“The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. Watch the Security Risk Analysis video to learn more about the assessment process and how it benefits your organization or visit the Office for Civil Rights' official guidance.” (1) Many offices are now using electronic health records (EHRs). They have changed the manner in which care is delivered and compensated. With EHRs, information is available whenever and wherever it is needed.(2)

A new security risk assessment (SRA) tool will assist health care providers in small to medium sized offices conduct risk assessments of their organizations. It is available from the U.S. Department of Health and Human Service (HHS). The SRA tool was developed by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR).(3) The tool is intended to aid practices in conducting and documenting a risk assessment in an systematized manner. It will allow them to evaluate the information security risks in their organizations under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The application is available for downloading.(4) The tool creates a report that can be provided to auditors.

The website offers Top 10 Myths of Security Risk Analysis.(5) It discusses things like the fact that all providers who are “covered entities” under HIPAA are required to perform a risk analysis.(5) There is a Tool User Guide, and it is available for Windows and Mac users. There is also a Tutorial video to help providers begin using the tool. Videos on risk analysis and contingency planning are available at the website to provide further context.

HIPAA requires organizations that handle protected health information to frequently review the administrative, physical, and technical safeguards they have in place to protect the security of the information. These risk assessments can expose possible weaknesses in security policies, processes, and systems. Risk assessments also help providers address vulnerabilities, possibly preventing health data breaches or other adverse security events.

Make sure your office is HIPAA compliant!

RELATED | Team EHR: Everything you and your dental team need to know about electronic dental records

References 1. www.HealthIT.gov/security-risk-assessment. 2. Levingston, S. A. (2012). Opportunities in physician electronic health records: A road map for vendors. Bloomberg Government. 3. http://www.hhs.gov/news/press/2014pres/03/20140328a.html. 4. http://www.healthit.gov/providers-professionals/security-risk-assessment-tool. 5. http://www.healthit.gov/providers-professionals/top-10-myths-security-risk-analysis.More by Maria Perno Goldie:Seeing redBoomers and the Greatest Generation
Maria Perno Goldie, RDH, MS, is the editorial director of RDH eVillage FOCUS.