On October 16, 2018 the Department of Health and Human Services Office for Civil Rights (“OCR”) and the Office of the National Coordinator for Health Information Technology (“ONC”) announced an update to their previously provided Security Risk Assessment Tool. According to ONC and OCR, the “tool is designed to help healthcare providers conduct a security risk assessment” as required under the HIPAA Security Rule. ONC states that the updated tool includes additional features such as:
- Enhanced user interface
- Modular workflow
- Custom assessment logic
- Progress tracker
- Threats & vulnerabilities rating
- Detailed reports
- Business associate and asset tracking
- Overall improvement of the user experience
As with prior tools, the ONC/OCR tool includes a broad disclaimer noting that use of the tool “does not guarantee compliance with federal, state or local laws”. Indeed, ONC and OCR encourage providers to “seek expert advice when evaluating the use of the tool.”
Ultimately, while the tool may provide a useful resource for small physician groups, larger organizations are more likely to need what is rapidly becoming the industry standard of having a security risk assessment/risk analysis performed by an outside third party, and ensuring additional assessments (such as penetration testing of the systems) are a part of that full risk assessment for the organization.
If your organization has any questions or needs assistance with a privacy and security related issue, please reach out to members of our Privacy and Security Group: Patricia Wagner, Alaap Shah, Brian Cesaratto, Adam Forman, or Wenxi Li.