Security Risk Assessments: 2014 Audit Focus and Toolkit Released by ONC

by Leonardo M. Tamburello

The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) include national standards concerning the privacy of protected health information (PHI), the security of electronic protected health information (ePHI), and breach notification to consumers.

HITECH also requires HHS to perform periodic audits by Covered Entities and their Business Associates’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules.  The HHS Office for Civil Rights (OCR) enforces these rules.  As part of their compliance with the HIPAA Security Rule, Covered Entities and their Business Associates must periodically conduct a “security risk assessment” (SRA) on their systems which handle electronic protected health information (ePHI).  SRAs, can uncover potential weaknesses in their security policies, processes and systems.  They also help providers and their Business Associates address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data and is an critical compliance metric which OCR considers when investigating a possible breach.

Although they are required under the HIPAA Security Rule, SRAs are often overlooked.  They are also a Core Requirement for providers seeking reimbursement under the Medicaid and Medicare EHR Incentive Program, commonly known as the “Meaningful Use” Program.

In 2011, OCR established a pilot audit program to assess the controls and processes covered entities have implemented. Through this program, OCR developed a protocol, or set of instructions, it then used to measure the efforts of 115 covered entities.   As part of OCR’s continued commitment to protect health information, it instituted a formal evaluation of the effectiveness of the pilot audit program.  Through this and subsequent evaluations, OCR has found that most Covered Entities did not conduct adequate SRAs.  Consequently, SRAs have been identified by OCR as an area of interest as it prepares in 2014 to conduct audits of Covered Entitles and, for the first time, their Business Associates.

OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) have jointly released a new SRA Tool designed to assist small to medium-sized providers conduct and document risk assessments in a thorough, organized fashion.  The release of this Toolkit, along with other statements from ONC and the Office of Inspector General indicate a growing expectation that Covered Entities and their Business Associates, regardless of size or complexity, conduct and document SRAs as part of their ongoing HIPAA compliance programs.

The SRA Tool’s website includes a user guide and video tutorial about the software along with additional videos concerning risk analysis and contingency planning to provide further context.