Do You Need a HIPAA Security Risk Assessment Tool?
For many organizations, the end of the year is a time to complete those annually required tasks. One of those tasks for medical practices and the vendors who serve them is a HIPAA Security Risk Assessment (SRA).
Today, we will examine what to look for in a HIPAA Security Risk Assessment tool and why the SRA is essential.
The Basics of HIPAA Security Risk Assessment Tools
Any discussion of SRA Risk Assessment tools should begin with the Security Risk Assessment itself. The HIPAA Security Risk Assessment is the most foundational requirement of HIPAA, as the government defines it. It comprises a series of five or six required audits designed to give a snapshot of an organization’s current effectiveness in protecting the privacy and security of patients’ protected health information (PHI).
These audits include:
- Asset and Device Audit
- IT Risk Analysis Questionnaire
- Physical Site Audit
- Security Standards Audit
- Privacy Standards Audit (Not required for Business Associates who do not create PHI but simply possess or process it).
- HITECH Subtitle D Privacy Audit
HIPAA Rules and Regulations do not specify how often a Security Risk Assessment must be completed, but the widely accepted best practice is to conduct an SRA annually. Despite this, failing to complete an SRA annually is one of the most common HIPAA violations reported by HIPAA auditors from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).