Category: HITECH

The Case for Breach Notification by Business Associates

A business associate is an individual or entity that performs functions or activities involving the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  HIPAA requires business associates to agree, in writing, to appropriately safeguard protected health information received or created on behalf of a covered entity.

HIPAA regards a breach involving a business associate as “discovered” by the covered entity on the date that the business associate knew or should have known about it, provided that the business associate is acting as the “agent” of the covered entity.  In performing covered functions or providing covered services (such as claims processing, billing, utilization review, PBM management, or clearinghouse duties), most business associates also exercise actual or apparent authority on behalf of the covered entity; that is, with either express or implied permission from the covered entity, the business associate holds itself out to third-parties as being able to act in the place of the covered entity.  By doing so, they may qualify under federal law as “agents” of the covered entity.  The only time that a covered entity will not be charged knowledge at the time of its business associate’s breach is in the exceedingly rare circumstance where the business associate was not acting as the “agent” of the covered entity.

Regardless of agency status, HIPAA permits a business associate to delay a report of breach of PHI to the covered entity for up to 60 days.  This 60 day time period is extremely important because the HIPAA Breach Notification Rule requires individuals affected by breaches involving protected health information to receive notice of the breach within 60 days of its discovery, regardless of the number of individuals affected.  In addition, breaches involving 500 or more individuals must be reported to the media and the government, within 60 days of discovery

In most circumstances, the effect of these provisions is that a business associate does not have to notify the covered entity of a breach for up to 60 days, but each day that the covered entity remains unaware is one fewer day that it will have to report the breach to affected individuals, and possibly the government and media.  Unless the business associate contract requires the business associate to provide information regarding a breach to the covered entity within a few days, a dawdling business associate can potentially make it more difficult, if not impossible, for a covered entity to make all required notifications.  This is especially true in breaches involving 500 or more individuals which require all three forms of notification to occur within 60 days of discovery of the breach.

Because HIPAA will treat almost all breaches involving a business associate as “discovered” by the covered entity before the covered entity has actual knowledge of the breach, covered entities should consider delegating breach notification responsibility to business associates in these cases.  This can be easily done by including language in the business associate agreement to the effect that the covered entity reserves for itself the option of having the business associate provide all notifications required by HIPAA (and/or any applicable state breach notification laws) in the event of a breach.  The reason for this is twofold: first, while HIPAA permits a business associate to delay a report of breach of PHI to the covered entity for up to 60 days, in most cases, the covered entity will be “deemed to have knowledge” of the breach at the time the business associate knew, or should have known of it through the exercise of reasonable diligence.  Second, the business associate is likely to be better positioned to investigate the breach because of its proximity to the facts and individuals involved.

A business associate agreement should reflect the reality that covered entities have the ultimate responsibility to ensure that proper and timely notifications are made after a breach.  From the covered entity’s perspective, this means requiring their business associates to promptly report any breaches to the covered entity and to take the lead concerning all aspects of breach notification.   If the business associate is unequipped to provide breach response on its own, it can always outsource such functions, provided it first enters into a business associate agreement with that vendor.  If a business associate is unwilling to do either, then the covered entity may want to rethink its relationship altogether with the business associate.

Dealing with Insider Threats to HIPAA Security

While most Covered Entities rightly orient cyber security efforts against external threats, there has been a recent uptick in the intentional theft of protected health information (PHI) by employees and others from inside organizations. Although so-called “insider threats” are not the most common security problem, they are among the most costly and damaging. Because they originate from individuals who are trusted and therefore have a legitimate level of access to confidential data, they are also especially difficult to detect.

Illustrating this problem, in February 2015 a former hospital employee in Texas was sentenced to 18 months in federal prison after improperly obtaining PHI with the intent to use it for personal gain. More recently, a Blue Cross Blue Shield of Michigan (BCBSM) employee (and ten others in multiple states) was indicted on multiple counts of identity theft related crimes based on her alleged theft of BCBSM subscriber information.

According to the indictment, the BCBSM employee shared subscribers’ personal identifying information and distributed it to others who used it to apply for credit in subscribers’ names and make purchases across the country. Co-conspirators were arrested in Texas, Ohio and Michigan in possession of BCBSM subscriber information, counterfeit identification cards, and credit cards that were fraudulently obtained in the names of BCBSM subscribers. At other suspects’ homes, agents recovered BCBSM subscribers’ names, dates of birth and Social Security numbers in addition to counterfeit and re-encoded credit cards and gift cards. The indictment alleges that three of the co-conspirators used counterfeit credit cards at different stores and fraudulently obtained more than $742,000 worth of merchandise from Sam’s Club alone.

While indictments and prison sentences send a strong message from law enforcement about HIPAA protections, employers can also take important preventative steps to deter, thwart and detect potential insider threats. At a minimum, outbound data flows including email systems, printers, USB drives or other forms of removable media should be monitored for suspicious activity. This would not have necessarily stopped a group like those recently indicted in Michigan who used the low-tech method of taking screen shots of subscriber information, but it could detect other types of unauthorized data movements, such as those where data is removed directly from servers or corporate networks.

Most technological defenses, like passwords and other forms of user authentication, are designed to keep unauthorized users out, and consequently are of no use against insiders who, by definition, are authorized to access the systems that they target. As a result, combating insider threats requires a multidisciplinary approach. In addition to technological measures, employers should focus on deterrence by educating their workforce about security measures to detect unauthorized data exfiltration and possible consequences including jail time. Businesses should also think about who from the outside might target their data, which of their employees has access to that information, and how those individuals might pose a risk of data theft.   Employers should also get to know their employees’ regular workflows and routines. If someone who never accesses certain information or databases is suddenly doing so, that should be automatically flagged and investigated; so too if an employee is suddenly sending twice or three times the amounts of emails or data which could suggest that data theft is underway. From a HIPAA compliance standpoint, Covered Entities should consider the insider threat possibility as part of their regular risk assessment process and develop appropriate protocols in response.

While the insider threat, like many others, can never be completely eliminated, an active deterrence and monitoring strategy coupled with intelligent technical solutions can reduce it significantly.

New Encryption Requirements For New Jersey Health Insurers May Catch On In Connecticut, But Probably Would Not Have Protected Anthem Subscribers

New Jersey has enacted and Connecticut is considering a bill that would require health insurance companies to encrypt electronic information in their possession. These developments come as the massive breach of personal protected health information at Anthem Health continues to reverberate throughout the healthcare industry.

While the New Jersey law and Connecticut proposal requiring encryption are important steps that will protect individuals in cases where a laptop or flash drive is lost or stolen, they are unlikely to provide any serious defense to a determined attack such as that involving Anthem Health, which involves the compromise of administrator-level credentials.

The New Jersey law, which goes into effect on August 1, 2015, requires all health insurance carriers issuing benefits in the state to encrypt or otherwise render unreadable any “personal information” which they compile or maintain.  This “personal information” includes a first name or initial and last name linked with their Social Security Number, driver’s license or State ID number, address, or any other form of individually identifiable health information such as medical or billing records, medical record numbers, or a variety of other identifiers.

The Connecticut proposal, much like New Jersey’s law, would require insurance companies operating in Connecticut to encrypt all personal information records stored and transmitted by them.  Connecticut would also go further by requiring that any health insurance company who holds, uses or transmits personal information adopt secure user authentication protocols (such as mandatory user IDs, unique passwords, and other measures) and upgrade information safeguards to limit future risks.

While encryption of protected health information is strongly encouraged by changes to HIPAA made by the HITECH Act and subsequent regulations, it is not currently required by federal law.  However, as targeted attacks on health care data become more sophisticated and commonplace, encryption and other security measures are quickly becoming the industry standard.

It is unlikely that either New Jersey law or Connecticut proposal requiring encryption would have protected Anthem subscribers who have been affected by the most recent breach which was discovered by a system administrator who noticed that their own credentials were being used to log into the system and submit queries.  Unauthorized individuals, who gain access to an administrator account, can end-run around most, if not all, technical defenses.  No amount of encryption will protect against thieves who use phishing, social engineering or other means to steal the keys to the virtual kingdom.

OCR Director Discusses Upcoming HIPAA Audits, Additional Rulemaking in 2015

Audits of Covered Entities and their Business Associates which are required under the HITECH Act have been delayed into 2015, according to a comments made by Jocelyn Samuels, the Director of Health and Human Services’ Office for Civil Rights (OCR), because audit procedures have not been finalized. During a recent conference call with the media, Director Samuels would not commit to a specific timeline for the audits. These new audits will be done in-house by OCR and incorporate lessons learned from audits conducted in 2012 by KMPG of 115 covered entities in addition to changes following enactment of the Final Omnibus Rule in 2013.   Although all aspects of HIPAA compliance may be examined, it is expected that through these audits, OCR will closely scrutinize organizational Risk Assessment and Risk Management.   OCR anticipates that these audits will help it to identify best practices and uncover risks and vulnerabilities to privacy and security. Also according to OCR, the audits are expected to allow it to provide additional guidance and further refine future rulemaking regarding security and privacy.

In addition to the highly anticipated audits, OCR’s other plans for 2015 include:

  • A proposed rule that would allow individuals adversely affected by breaches of their protected health information to share in a percentage of the fine assessed by OCR against the party or parties responsible for the breach.
  • Additional guidance regarding the “minimum necessary” rule, which OCR views as intended to advance the policy goal that PHI only be used or disclosed when necessary for a particular purpose or to carry out a specific function.
  • Further clarification and guidance concerning the use of cloud storage and cloud computing services that have proliferated since the last major regulatory pronouncements related to the Security Rule.
  • Rulemaking related to the provision of an accounting of PHI disclosures upon request to patients.

ePHI Data Breach and the Consumer Fraud Act

The important protection against data breach liability by encrypting ePHI has been pointed out a number of times on this blog. Although not required by HIPAA or HITECH security rules, encryption is a practical solution to a potentially big problem. Indeed, the Office of Civil Rights has commented in the past that “[e]ncryption is an easy method for making lost information unusable, unreadable and undecipherable.” While not required, encryption is an “addressable” implementation that nonetheless becomes effectively required under the “reasonable and appropriate” standard of review applied to the retrospective evaluation of security measures utilized in data breach circumstances. The burden is on the covered entity to show that it was unreasonable and inappropriate to have used encryption.

In any event, the persuasiveness of the argument for encryption as a matter of routine was strengthened on January 9, 2015 when Governor Christie signed Senate Bill 562 into law as P.L. 2014, c. 88.

This is an amendment to the New Jersey Consumer Fraud Act that will be codified at N.J.S.A. 56:8-196 to 56:8-198. The new legislation has an effective date of August 1, 2015.

It uses the definition of individually identifiable health information found in the HIPAA Privacy Rule and incorporates it into a broader category of “personal information.” N.J.S.A. 56:8-196. As of its effective date the statute mandates that a health insurance carrier shall not compile or maintain computerized records with personal information “unless that information is secured by encryption or by any other method of technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.” N.J.S.A. 56:8-197. It explicitly provides that “more than the use of a password protection” is required if the password program only prevents general unauthorized access and does not render the information “unreadable, undecipherable, or otherwise unusable.”   These requirements are directly at computer sytems broadly, including desktop computers, laptops, tablets or other mobile devices, or removable media.

New Jersey is the second state to impose explicit encryption requirements on personal information in a computerized form. Massachusetts had taken the first step with regulations effective in 2010 that had been promulgated pursuant to its anti-identity theft legislation. See generally 201 Mass. Code Regs. 17.04. The New Jersey restrictions currently apply only to health insurance carriers and do not extend to health care providers. This is consistent with the long-standing general proposition that the New Jersey Consumer Fraud Act does not apply to licensed professionals such as physicians or hospitals who are subject to comprehensive regulations by their own regulatory bodies. See, e.g., Macedo v. Dello Russo, 178 N.J. 340, 344-46, 840 A.2d 238, 240-42 (2004); Hampton Hosp. v. Bresan, 288 N.J. Super. 372, 381-83, 672 A.2d 725, 730-31 (App. Div.), certif. denied, 144 N.J. 588, 677 A.2d 760 (1996). But the statute certainly may be viewed as an expression of best practices if not an emerging standard of care.

Pursuant to N.J.S.A. 56:8-198 violations of the computer encryption statute are declared to be “an unlawful practice” subjecting violators to consequences under the Consumer Fraud Act. These include penalties of up to $10,000 for the first violation and up to $20,000 for the second and any subsequent violation. The Attorney General can bring an action for a cease and desist order and the court can order restitution. Lastly, an individual consumer who can demonstrate an ascertainable loss and a causal nexus between the alleged act of consumer fraud and the damages sustained can bring a private action for treble damages and attorney’s fees.

Overseas Hackers Suspected In Second-Largest HIPAA Breach In History Affecting 4.5 Million Patients

In its most recent SEC 8-K Filing dated August 18, 2014, Community Health Systems, Inc., (CHS), which operates over 206 hospitals in twenty-nine states, announced that an “Advanced Persistent Threat,” group originating from China used “highly sophisticated malware and technology” to infiltrate its computer systems “and successfully copy and transfer certain data” in the form of “non-medical patient identification data” including  names, addresses, birthdates, telephone numbers and social security numbers affecting 4.5 million individuals who were patients at CHS in the last five years.   This represents the second-largest breach of PHI in HIPAA history to date.

According to CHS, no credit card, medical or clinical information was compromised.    CHS has said that it has appropriately reported this incident in accordance with federal and state law, that it will be offering free credit monitoring to affected individuals, and that it possesses sufficient cyber/privacy liability insurance to address some of the losses related to remediation expenses, regulatory inquiries, litigation and other liabilities.

According to media reports, the intruders exploited the so-called Heartbleed flaw which allows the undetectable bypassing of virtually all security protections and permits the retrieval of sensitive data residing in the memory of computers or servers running certain software.  This permits intruders to “eavesdrop” and obtain passwords, banking credentials, and other sensitive data.  Heartbleed was first publicly revealed, along with a patch to fix it, by security researchers on April 7, 2014.

If this loss is the result of Heartbleed, it would represent the first known breach attributable to it.  Given the size of the breach, OCR will almost certainly investigate and examine whether CHS’s risk assessment and risk management programs were sufficient.  Since a patch was available on the date that the vulnerability was publicly announced, the investigation will likely focus on whether CHS should have updated its servers in a timelier manner between the time of Heartbleed’s revelation on April 7, 2014 and the attacks which occurred in April and June of 2014.  Fortunately for CHS and the individuals affected, CHS appears to have planned in advance for a breach, as evidenced by the presence of cyber/privacy insurance.

Focusing HIPAA Security Based on HHS’s 2011-2012 Annual Breach Report

The Department of Health and Human Services (HHS) recently released its 2011-2012 annual report on breaches of unsecured personal health information (PHI) to Congress.  In addition to the staggering number of individuals whose PHI was the subject of such breaches, this report, along with a companion report focused on breach notification rule compliance, provides valuable insights into OCR’s compliance trends

In 2011 and 2012, breaches involving over 500 individuals accounted for almost 98 percent of all individuals (almost 15 million individuals) whose PHI were compromised for these two years.

These data highlight key areas of vulnerability, particularly with respect to electronic PHI.  With the increasing adoption of certified EHR technology through Meaningful Use, the potential for technological exploitation of ePHI vulnerabilities will continue to multiply.  Strategies that could offset this risk include:

  1. Updating and Monitoring Risk Analyses and Risk Management.  OCR has already identified risk analysis and risk management as areas of increased compliance scrutiny. All PHI handlers must perform a thorough risk analysis that identifies and addresses potential risks and vulnerabilities to all ePHI in its ecosystem, regardless of its form or location.  This review would include all computers, tablets, mobile devices, USB “flash” drives and network transmission of ePHI.
  2. Conducting Regular Security Evaluations.       Security evaluations should be done periodically and also incorporated into any change in operations, such as facility, office or data relocation, that could potentially affect the security of PHI.   Clear policies and procedures should be put in effect which insure adequate physical and technical safeguards remain in place during the transition period through the resumption of normal operations.   Technical evaluations of new software, hardware, websites, and other changes to IT infrastructure should be performed by qualified experts before these systems go “live,” to insure that ePHI will not be inadvertently exposed.
  3. Monitoring Security and Control of All Portable Electronic Devices.  Polices should be implemented requiring that ePHI stored and transported on portable electronic devices be properly safeguarded.  This includes mandating the use of appropriate encryption technologies and clear policies and procedures concerning the receipt and removal of portable electronic devices and media containing PHI, and how such information must be secured while off-site.
  4. Secure Disposal of PHI and Media Containing PHI.  Employees should be given clear procedures to insure destruction of paper-based PHI that include documenting the proper disposition of the files.  Similarly, if an electronic device is going to be reused or repurposed, it should first be securely wiped to insure all ePHI is removed and rendered unrecoverable.  Any discarded electronic devices should be securely destroyed and that process adequately documented.
  5. Securing Physical Access Controls.  Physical security should not be overlooked in the technological landscape of modern healthcare. Organizations should insure that physical access to their facilities and workstations is limited to authorized employees.
  6. Continuous Employee Training.  Privacy and security policies and procedures are virtually worthless if employees are not properly trained on them.  Employees and managers should be trained (and re-trained) concerning high risk areas such as proper disclosure of PHI and security requirements.  Employees should also be made aware of sanctions and other consequences for failing to follow proper security and privacy policies and procedures.

HHS has previously stated that in 2014 it will emphasize compliance and security more than ever.  Already in 2014, HHS has collected more in resolution agreement settlements than it did in all of 2013.  Securing PHI is not only required by HIPAA, it also makes sound business sense in case your organization is investigated or randomly audited for HIPAA compliance.

ONC’s Look Ahead to “An Interoperable Health IT Infrastructure” Within 10 Years

The Office of the National Coordinator for Health Information Technology (ONC) had released an ambitious “concept paper” setting forth its “10-Year Vision to Achieve An Interoperable Health IT Infrastructure.”  The goal is to “make the right data available to the right people at the right time across products and organizations in a way that can be relied upon and used by recipients.”  ONC has identified three, six, and ten-year agendas towards this objective.

Though HIPAA’s implementation in 1996 and certified meaningful use of certified electronic health record technology (CEHRT) has led to impressive advancements in technological innovation, ONC’s ten-year vision promises even more changes yet to come.

Extraordinary leadership will be required of ONC in collaboration with state and local governments, as well as the private sector.  To achieve this, ONC has identified “five critical building blocks” upon which to focus its efforts:

  1. Core technical standards and functions which build upon existing health IT (HIT) infrastructure;
  2. Certification to support adoption and optimization of health IT products and services;
  3. Privacy and security protections for health information greater transparency for individuals regarding the business practices of entities that use their data, even those users are not specifically covered under the HIPAA Privacy and Security Rules;
  4. Supportive business, clinical and regulatory environments;
  5. Rules of engagement and governance.

Within three years, ONC intends to further standardize the vocabulary and structure of essential information, as well as address critical issues such as data provenance, data quality and reliability, and patient matching.  All of these efforts aren’t year towards improving the quality of interoperability and facilitating a vastly increased quantity of information which is captured by HIT infrastructure.  Simultaneously, a “common framework to enhance trust” will be implemented by addressing key privacy, security, and business policy and practice challenges related to the secure exchange of health information across existing networks.  In addition ONC intends to advance policy and programmatic stimuli to encourage the use of this information in a manner which supports care delivery reform, improves quality, and lowers costs.

Within six years, by 2020, ONC envisions that individuals, care providers, and public health departments will send, receive, find and use an expanded set of health information across the entire industry in support of “team-based” care. By this time, interoperability between CEHRT and medical devices will enable remote monitoring from virtually any location, including homes, schools, and workplaces.  Data aggregation will give rise to “multi-payer” claims databases and clinical data registries.  Using this information, providers will be able to aggregate and trend information within and across groups of patients, and payers (including Medicare and Medicaid) will be able to implement value-based payment systems based on clinical analyses.

In 10 years, according to this ONC report:  information sharing will be standardized and improved all levels of public health, enabling patient-centered research to be better targeted, and individuals will , be able to manage information from their own mobile devices and share that information seamlessly across multiple electronic platforms, such as healthcare providers, social service agencies, and consumer-facing applications.  In addition, these data will enable public health surveillance and retrospective analyses on an unprecedented level.

ONC’s roadmap depends on continued support and engagement from all healthcare stakeholders who are encouraged to be active participants in shaping the decisions which will define this industry for years to come.

Companies Should Not Rely on Traditional Insurance Policies to Cover Data Breach Investigation, Notification or Liability Costs

According to the Ponemon Institute’s 2013 Cost of Data Breach Study, the average total organizational cost of a data breach is over $5.4 million.   These costs include:

  • forensic investigation to determine what happened;
  • loss mitigation to minimize damages;
  • breach notification to government agencies and affected individuals;
  • defense costs associated with subsequent State and/or Federal regulatory investigations;
  • settlement/resolution costs resulting from government investigation, including the costs associated with multi-year integrity programs, call centers, incident response teams, and credit monitoring services;
  • civil litigation defense and settlement or trial costs;
  • public outreach and image/brand rehabilitation efforts;
  • revised internal policies, procedures and employee retraining.

In 2013, the Insurance Services Office (ISO) added a new data breach claim exclusion for “[a]ny access to or disclosure of any person’s or organization’s confidential or personal information.”

Considering similar exclusion language, in April 2014, the Eleventh Circuit Court of Appeals denied coverage under a standard commercial general liability (CGL) policy in a case where Interline Brands, Inc. was sued for sending “junk faxes” in violation of the Telephone Consumer Protection Act.  See Interline Brands v. Chartis Specialty Insurance, Co., — F.3d —, 2014 WL 1424432 (11th Cir. 2014).  It is likely that this court would view a data breach exclusion like that recently proposed by ISO in the same manner.  This opens the door for other jurisdictions to do the same.

As data breaches will continue to occur to even the best prepared entities, costs will continue to escalate.  This is particularly true in the healthcare sector where the Office of Civil Rights (OCR) on May 7, 2014 announced a $4.8 million settlement with two major metropolitan health care organizations for potential HIPAA violations related to the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.  In addition, OCR’s investigation found that neither entity made efforts prior to the breach to insure that the server containing the ePHI was secure and that it contained appropriate software protections.  OCR also determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access the other’s ePHI.  As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.  One entity also failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

These settlements come in the wake of two earlier data breach settlements related to stolen laptops resulting in total settlements of over $1.9 million.

Particularly in light of the broadened reach of regulatory authorities under HITECH and ONC’s warnings of increased compliance and enforcement actions in 2014, it is absolutely imperative for companies that handle PHI, ePHI and other forms of protected information to purchase technology or data breach insurance with sufficient limits that specifically covers them in the event of a security incident or actual breach.  It would be foolish to assume that “standard” CGL policies will provide any coverage.  Such assumptions create unnecessary risks that coverage will not be provided when a claim is submitted, and nobody should wait until that time to learn that their carrier will not provide a defense or liability coverage.

Security Risk Assessments: 2014 Audit Focus and Toolkit Released by ONC

The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) include national standards concerning the privacy of protected health information (PHI), the security of electronic protected health information (ePHI), and breach notification to consumers.

HITECH also requires HHS to perform periodic audits by Covered Entities and their Business Associates’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules.  The HHS Office for Civil Rights (OCR) enforces these rules.  As part of their compliance with the HIPAA Security Rule, Covered Entities and their Business Associates must periodically conduct a “security risk assessment” (SRA) on their systems which handle electronic protected health information (ePHI).  SRAs, can uncover potential weaknesses in their security policies, processes and systems.  They also help providers and their Business Associates address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data and is an critical compliance metric which OCR considers when investigating a possible breach.

Although they are required under the HIPAA Security Rule, SRAs are often overlooked.  They are also a Core Requirement for providers seeking reimbursement under the Medicaid and Medicare EHR Incentive Program, commonly known as the “Meaningful Use” Program.

In 2011, OCR established a pilot audit program to assess the controls and processes covered entities have implemented. Through this program, OCR developed a protocol, or set of instructions, it then used to measure the efforts of 115 covered entities.   As part of OCR’s continued commitment to protect health information, it instituted a formal evaluation of the effectiveness of the pilot audit program.  Through this and subsequent evaluations, OCR has found that most Covered Entities did not conduct adequate SRAs.  Consequently, SRAs have been identified by OCR as an area of interest as it prepares in 2014 to conduct audits of Covered Entitles and, for the first time, their Business Associates.

OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) have jointly released a new SRA Tool designed to assist small to medium-sized providers conduct and document risk assessments in a thorough, organized fashion.  The release of this Toolkit, along with other statements from ONC and the Office of Inspector General indicate a growing expectation that Covered Entities and their Business Associates, regardless of size or complexity, conduct and document SRAs as part of their ongoing HIPAA compliance programs.

The SRA Tool’s website includes a user guide and video tutorial about the software along with additional videos concerning risk analysis and contingency planning to provide further context.