In 2011, the U.S. Department of Health and Human Services (DHHS) , the federal agency for enforcing HIPAA, issued a Security Risk Assessment (SRA) tool through its Office of Civil Rights (OCR). In 2019, after an update, OCR is offering version 3.0 of the HHS Security Tool. The reviews are in, and….  As described below, version 3.0 of the HHS SRA Tool does not ensure compliance with the HIPAA Security Rule Risk Assessment requirement.

What is the HHS SRA Tool?

The HHS SRA toolkit is a free, online tool that the federal government claims is designed for use by small to medium sized health care practices (those healthcare provider covered entities with 1-to employees), and their business associates, to help them identify risks and vulnerabilities to ePHI. The updated HHS SRA tool, HHS claims, provides enhanced functionality to document how such organizations can implement or plan to implement appropriate security measures to protect ePHI.

Before analysis of this tool can begin, it should be noted off the bat that the government itself has put a proverbial giant warning label on this product. The tool features the following disclaimer:  “Disclaimer: The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws.” So, even the government is acknowledging that the tool is hardly a one-stop shop compliance solution.

More specifically, while the HHS SRA toolkit does provide point-by-point instructions similar to those mandated by the Security Rule risk analysis requirement, experts advise that the tool may or may not be sufficient to cover your back in an audit scenario. 

The pros and cons of the HHS SRA Tool are discussed below.

What are Some Useful Features of the New SRA Tool?

The new tool does contain some useful features. The new SRA tool calculates risk by using the HIPAA audit protocol and NIST-based methodologies.  In addition, documents can be uploaded to the tool in bulk. HHS, which released version 3 in 2018, has also added a Business Associate Agreement function to the tool (note, however, that the tool does not actually produce an agreement based on user input). 

Questions that the user is prompted to answer now map back to the relevant HIPA citations, so that users can track how each question fits into the overall regulatory compliance scheme. 

Perhaps most significantly, the new tool has been designed to issue a Risk Analysis final report. This report, as the name suggests, is the end-result of a security risk assessment. Users should know, however, that the report contains an attached “flag” – signifying that the report operates within a larger margin of error based on how the user respond to the risk calculation. A model of precision, the tool is not. 

In What Areas is the Tool Deficient?

The tool essentially requires that the user be an omintasking risk technician. Each of its measures results in multiple questions. The questions must be selected by an individual who knows how to measure threat impact and threat occurrence likelihood each year.  The tool does not have an option that delegates particular questions to specific employees with the needed expertise to perform the assessment.

Take step #4, “Likelihood of Threat Occurrence,” to illustrate the problems with this lack of a delegation option. This step requires covered entities to consider each potential threat and vulnerability combination (Identification and Documentation of Potential Threats and Vulnerabilities is performed in Step 2 of the Security Risk Analysis) and rate them by likelihood (or probability) that the combination would occur. 

In determining this likelihood, organizations may describe probabilities using the phrase “High,” “Medium,” and “Low.” 

Under this rating system, in certain instances, a high probability exists that a threat will trigger or exploit one or more vulnerabilities. This might be due to the absence, severe inadequacy, or improper configuration of security controls. In other words, a threat may occur because of insufficient security measures. Threats may occur for other reasons, however, for a high probability of threat occurrence For example, a covered entity’s being in close physical proximity to an area vulnerable to tornadoes may also dictate a probability designation of “high.”

It is not particularly likely that a single individual in a company is the best-equipped, most knowledgeable individual, as to security AND as to meteorology AND as to seismology AND as to the knowledge required to evaluate other kinds of threats not even yet mentioned (for example,  has the covered entity experienced a recent rash of workplace violence? If it has, an HR professional might be better equipped to offer input about that trend than an IT professional could).  

The tool contemplates use by a would-be Man for All Seasons; life – not to mention businesses – do not function in this fashion.

Another problem with the tool: the Tool does not save any historical data related to past or previous assessments an organization may have completed. These older assessments cannot be imported into the tool. This deficiency is the SRA equivalent of a business having to create a phone book from scratch, every year. 

FInally, the tool is perhaps most deficient because of what it does NOT do. Version 3.0 does not:

• Provide guidance or training to users, who must, without such guiding or training, assign a risk score to each question
• Officer remediation planning, management, or remediation guidance. Remediation management is a required component of the security risk analysis.
• Include any policies and procedures. That’s right: The HHS SR tool contains zero (0) templates. It also does not review any current, existing policies and procedures. This flaw would result in a user who relies on the HHS SRA Risk Tool at the risk of using outdated templates.

In sum, while the tool has decent features, their utility is more than outweighed by the tool’s numerous problems and deficiencies. Whatever else about the tool is reflects accuracy, the government’s disclaimer certainly does.