Cybersecurity Client Alert – HHS Releases HIPAA Security Risk Assessment Tool

    By Jason R. Davis, Laura Dickson Rixey, Data Privacy and Security

    Organizations that have access to electronic protected health information should be aware of a new tool that is available to assist in achieving compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) security regulations (the “Security Rule”). Pursuant to the Security Rule, covered entities and their business associates must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” 45 C.F.R. 164.308(a)(1)(i)(ii)(A) and (B).

    These security risk assessments are often overwhelming, costly, and difficult to manage, particularly for smaller organizations. Nevertheless, security risk assessments are essential for organizations of all sizes in order to comply with the Security Rule and to prevent breaches of protected health information and other adverse security events. Furthermore, the security risk assessment is a requirement for providers that seek payment through the Meaningful Use Program, otherwise referred to as the Medicare and Medicaid Electronic Health Records Incentive Program.

    In response to this need, the U.S. Department of Health and Human Services (“HHS”) Office of the National Coordinator for Health Information Technology partnered with the Office for Civil Rights to devise a tool to aid organizations in assessing, analyzing, and documenting their security risks. The Security Risk Assessment Tool addresses the three main areas that HIPAA requires organizations to periodically review with regard to the measures it takes to protect the security of electronic protected health information: administrative, physical and technical safeguards. Not only does the tool contain 156 “yes” or “no” questions designed to assess the current state of the organization’s security protocol, but it also provides helpful information tailored to address issues raised by the organization’s responses to these questions. Lastly, the tool has various documentation functions, such as a printable final report to assist the organization with its HIPAA compliance efforts and security improvement measures moving forward.

    The tool is available online at, where it can be accessed by organizations looking for assistance in conducting their security risk assessments. The software is available in Windows and iOS iPad formats. Additionally, a User Guide and Video Tutorials are available on the website so that organizations have resources for understanding how to navigate the application. For those less technologically inclined, there are paper versions of the guide available.

    Before using the Security Risk Assessment Tool, organizations should take note of its limitations. First, the Security Risk Assessment Tool is best-suited for small to medium sized organizations. Larger organizations should consider continuing to utilize consulting services and other large scale technical resources available to them. Nonetheless, the Security Risk Assessment Tool is still a good starting point for organizations of any size looking to conduct an initial security risk assessment.

    Additionally, the tool may not contain the most current information or best practices for properly securing electronic protected health information; thus, it should not be considered a substitute for considering the full implications of the HIPAA Security Rule requirements. The website itself makes the following disclaimer: “The Security Risk Assessment Tool at is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws.”

    Accordingly, organizations should not solely depend on the Security Risk Assessment Tool to achieve compliance with the HIPAA Security Rule’s requirements. Rather, the Security Risk Assessment Tool should be used as a roadmap for organizations as they navigate the requirements under the Security Rule and endeavor to create a robust HIPAA compliance program.

    Kaufman & Canoles remains available, even on short notice, to assist with your HIPAA/HITECH compliance. In the event of a potential breach of protected health information, an upcoming HIPAA audit, or if you have any questions regarding compliance with HIPAA, contact our Healthcare or Cybersecurity Response Team.

    The contents of this publication are intended for general information only and should not be construed as legal advice or a legal opinion on specific facts and circumstances. Copyright 2024.