HIPAA Security Rule Risk Analysis: ONC/OCR SRA Tool

Many Covered Entities and Business Associates do not perform a HIPAA risk analysis as required by §164.308(a)(1)(ii)(A) of the HIPAA Security Rule.  This is evidenced by over 90% of the Office for Civil Rights (OCR) enforcement actions to date identifying an insufficient risk analysis/risk management program as a key finding in their investigation.  A common mistake is jumping straight into implementing controls that seem relevant to the HIPAA Security Rule requirements without consideration of the unique risks to an organization.  The HIPAA Security Rule commonly is incorrectly viewed as more of a compliance framework, which is not its intent.  The HIPAA Security Rule at its core starts with risk analysis, everything else should flow from there.  HIPAA has been around since 1996 and the reason why the Security Rule is not constantly needing to be updated is because of its non-prescriptiveness.  The requirements are high level by design, to allow organizations to determine what appropriate safeguards should be, based on their risk analysis.

The challenge organizations have is knowing what is acceptable from a risk analysis perspective by the OCR.  The HIPAA risk analysis guidance document issued by the OCR gives high-level considerations for organizations.  While many medium to large-sized businesses likely have a risk analysis program that already encompasses the items identified in the OCR guidance, they might not be done from the viewpoint of the HIPAA Security Rule.  Smaller organizations may not have any formal process at all regarding risk analysis.

The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the OCR, has recognized this challenge and developed a downloadable Security Risk Assessment (SRA) tool to help guide organizations through the HIPAA risk analysis process.  The SRA tool is designed to help Covered Entities and Business Associates conduct a risk analysis in a way that meets the HIPAA Security Rule requirement.  Best of all, the SRA Tool comes at everyone’s favorite price…free!

The first part of the assessment in the SRA tool has the organization enter general contact information, asset inventory details, and listing vendors.

Asset Inventory
A common finding by the OCR regarding risk analysis is that the process fails to consider all the assets in an organization’s environment where PHI/ePHI may reside.  A detailed asset inventory helps show that consideration was put into documenting all the relevant assets to be considered in the risk analysis process.  There is also an asset template that allows you to upload a .csv file.  This is helpful as entering every asset line item by line item in the tool would be time-consuming.

Vendor Tracking
Allows the organization to track relevant details about vendors that have an impact on the environment where PHI/ePHI may reside.  It allows for adding the vendor business associate agreement (BAA) and by going through this exercise it might help an organization realize they do not have a BAA in place with a vendor that they should, which is another common OCR investigation finding.  Once completed this also provides a central list of relevant vendors that the organization can reference as part of their annual Vendor assessment process.

Next, the assessment is broken out into 7 sections which cover the HIPAA Security Rule requirements and consists of the following:

  • SRA Basics

  • Security Policies

  • Security & Workforce

  • Security & Data

  • Security and the Practice

  • Security and Business Associates

  • Contingency Planning

These Sections contain areas for the organization to complete around Vulnerabilities, Threats, Likelihood, Impact, and General questions.

Vulnerability Identification
Each Section in the SRA tool has the organization select from a list of predefined potential vulnerabilities that might be applicable to them.  This helps organizations consider vulnerabilities they may not have thought of and focus their risk considerations on the selected vulnerabilities.

Threats, Likelihood, and Impact Consideration
Based on the vulnerability selections, the tool will next present potential threats.  The organization then considers and assigns the likelihood (low, medium, high) and impact (low, medium, high) for each potential threat listed. 

General Questions
Each Section has general multiple-choice questions that were built to speak to each of the HIPAA Security Rule requirements.  They cover the individual HIPAA Security Rule requirements in a way to gage the level of coverage the organization currently has.  Based on how the organization answers the questions they will be provided “Areas of Success” as well as “Areas for Review.”  For the “Areas for Review,” it gives some good insight into alternative or additional options that would help improve HIPAA compliance that organizations will find helpful.

Once the organization has completed both the Practice Info section and the 7 Assessment Sections, the tool has various forms of reporting that gives overall summaries and areas where improvements can be made.  This shows evidence of the risk analysis being completed and gives the organization a formal document that details the results of the risk analysis.

While there are more complex risk analysis tools and methodologies out there, the SRA tool is a great free option for organizations looking to simply identify and assess risk as required by the HIPAA Security Rule.  Once this step is completed, organizations can then move on to the next step of identifying the appropriate security measures that reduce the risks identified in this risk analysis process as required in §164.308(a)(1)(ii)(B).

Finally, the HIPAA risk analysis process should not be a one-time event.  Risks change over time as internal and/or external factors impacting the business change.  The organization should have a process in place to perform a new risk analysis on some recurring basis (typically annually), but also if a major change occurs in their business environment (either internal or external).  This is commonly overlooked and can lead to new risks not being considered, thus not allowing for additional or updated safeguards to be put in place to account for the new risks.

About the Author

Doug Kanney

Doug Kanney is a Principal at Schellman & Company. Doug leads the HITRUST and HIPAA service lines and assists with methodology and service delivery across the SOC, PCI-DSS, and ISO service lines. Doug has more than 15 years of combined audit experience in public accounting. Doug has provided professional services for multiple Global 1000, Fortune 500, and regional companies during the course of his career.

More Content by Doug Kanney

No Previous Articles

Next Article
EnergyTech Insights Update: New Mapping of CIP to NIST CSF
EnergyTech Insights Update: New Mapping of CIP to NIST CSF

Schellman's Grayson Taylor shares an overview of the new mapping of NERC CIP Reliability Standards to NIST ...