The U.S. Department of Health and Human Services (“HHS”) has just released a new security risk assessment (“SRA”) tool to assist small and medium sized health care practices (one to ten providers) conduct a HIPAA risk assessment of their organization.

The HIPAA Security Rule requires that all health care organizations that are HIPAA covered entities or business associates must conduct a thorough and accurate risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. The results of the HIPAA audits conducted by the HHS Office for Civil Rights and recent HIPAA breach settlement agreements highlight the importance OCR places on HIPAA risk assessments. However, many smaller physician practices do not know how to complete a risk assessment that meets the HIPAA Security Rule requirement.

The SRA tool is a free software application for Windows operating systems and iOS iPad that a health care practice can download and use to assist in reviewing its implementation of the HIPAA Security Rule. The 156-question tool addresses the implementation specifications included in the HIPAA Security Rule and covers basic security practices, security failures, risk management, and personnel issues. The tool also identifies issues to consider in responding to the questions, possible threats and vulnerabilities, and examples of safeguards the organization may adopt. HHS says that the tool allows providers to “conduct and document a risk assessment in a thorough, organized fashion at their own pace.” The application produces a report that the practice can later provide to auditors. Because the practice downloads the application, the government will not have access to assessment results unless the practice chooses to share that information. The SRA tool is solely for the purpose of conducting an internal HIPAA risk assessment as required by the HIPAA Security Rule and does not produce a statement of compliance and does not assess compliance with provisions of the HIPAA Privacy Rule.

The Office of National Coordinator for Health Information Technology is soliciting comments on the new SRA tool until June 2, 2014. Comments may be submitted to this address: