Government targets ‘risky business’ with free HIPAA assessment tool

By Patricia A. Rogers

Last week, the Office for Civil Rights of the U.S. Department of Health and Human Services released a toolkit for covered entities and business associates to use to perform a security risk assessment. The HIPAA Security Rule mandates that covered entities perform a risk assessment to determine the potential vulnerabilities to the confidentiality, integrity and availability of electronic PHI. The requirement for covered entities to conduct a security risk assessment has been in place since the HIPAA Security Rule was promulgated in 2003. The HIPAA Omnibus Rule extended the security risk assessment obligations to business associates effective September 23, 2013. Security risk assessments are mandatory for health care providers seeking payment through the Medicare and Medicaid EHR Incentive/Meaningful Use Programs.

Failure to Conduct Risk Assessments

Nonetheless, very few covered entities or business associates have conducted security risk assessments for a number of reasons: they have focused on compliance with the HIPAA Privacy Rule, which is easier to implement; the HIPAA Security Rule is technical and difficult to put into practice; OCR has issued very little guidance on security risk assessments; small organizations do not have IT staff with the necessary expertise; and engaging an IT firm can be cost-prohibitive. Clearly, the government is aware of these obstacles. In the recent OCR audit of covered entities, 47 of 59 health care providers and 20 of 35 health plans had not conducted a complete or accurate security risk assessment.

Some Leniency Thus Far

The government has made efforts to educate covered entities about HIPAA security compliance in resolving many complaints and breach investigations in the last 10 years. Only recently has the government imposed significant penalties for ePHI breaches — and those breaches involved ePHI of thousands of individuals, notably, the Affinity Health Plan $1.2 million settlement stemming from returning a leased copy machine without “wiping” the hard drive containing ePHI of over 340,000 health plan members (and failing to address it in the security risk assessment).

That’s about to change. With the release of the security risk analysis toolkit, the government will expect covered entities and business associates to utilize the free resources to conduct a risk analysis. It’s not a “one-size-fits-all” risk assessment tool, but will provide the necessary framework for conducting the security risk assessment.

Downloadable Software

The software and toolkit can be accessed at, and includes a user guide and tutorial video.

Security risk assessments are a key component of a covered entity’s or business associate’s HIPAA compliance program, which should include: HIPAA privacy and security policies, breach investigation procedures and notification policies, initial and refresher training for workforce members, and updated business associate and subcontractor business associate agreements with third parties and vendors.

If you need assistance in tailoring a security risk assessment for your organization or have other specific HIPAA or health privacy concerns, please contact Patricia Rogers or  your health care lawyer.

HIPAA privacy and security rules also apply to employers with self-insured group health plans. For employee benefits-related HIPAA questions and concerns, please contact John Papahronis.

This alert has been provided for clients and friends of McAfee & Taft A Professional Corporation. It does not provide legal advice, and is not intended to create a lawyer-client relationship. Readers should not act upon information in this alert without seeking professional counsel.