The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR) just posted an updated Windows only version of its HIPAA risk assessment tool (SRA). I know; lots of exciting acronyms, abbreviations, and labels!
You can download the new software on the government’s Health IT website here.
The ONC published both a user guide and a presentation on the new risk assessment tool. Those who have forgotten that a risk assessment must be done, that it should be reviewed and updated or hasn’t cared to attempt the task to date, will find these documents and tools very useful. At a minimum, the tools will help you focus on issues you might not have considered and will help you keep track of “assets” and contracts.
The tool covers the following topics:
- Section 1: Security Risk Assessment (SRA) Basics (security management process
- Section 2: Security Policies, Procedures, & Documentation (defining policies & procedures)
- Section 3: Security & Your Workforce (defining/managing access to systems & workforce training)
- Section 4: Security & Your Data (technical security procedures)
- Section 5: Security & Your Practice (physical security procedures)
- Section 6: Security & Your Vendors (business associate agreements and vendor access to PHI)
- Section 7: Contingency Planning (backups and data recovery plans)
For those few individuals remaining who believe they can collect identifiable health information without complying with these requirements, you should remember that Washington State has a continously expanding number of statutes and rules governing data privacy and security. Even if you don’t collect or create personally identifiable health information, these tools are useful for understanding and mitigating risks associated with proprietary and personal information.
It’s usually better to find out about vulnerabilities before you engage the world.