The HIPAA Security Rule requires covered entities, such as group health plans and health insurance issuers, as well as business associates, to perform a written “security risk assessment” of the potential risks and vulnerabilities to protected health information (“PHI”) maintained on their systems and applications.  Yesterday, the U.S. Department of Health and Human Services Office for Civil Rights ("OCR") released an updated version of the Security Risk Assessment Tool (“SRA Tool”), which is an easy-to-use interactive application that covered entities and business associates can use to create the required security risk assessment.  The SRA Tool guides users through the required security risk assessment process using a series of multiple-choice questions, providing references and guidance along the way.  The updated SRA Tool offers new features, including a glossary, tips, and a remediation report.  The OCR and Assistant Secretary for Technology Policy will host live webinars with training sessions on September 15 at 12:00 p.m. ET and September 16 at 3:00 p.m. ET.  You can register for the training sessions here.

OCR often cites a failure to perform the “security risk assessment” as one of the most common HIPAA violations that it finds in investigations and audits.  As a practical matter, most of the requirements of the HIPAA Security Rules are likely addressed by most companies’ IT procedures. Employer plan sponsors of group health plans can partner with their internal IT teams to create the required “security risk assessment” using the SRA Tool – and significantly reduce their exposure to potential fines and penalties under the HIPAA Privacy & Security Rules.