Industry News

ONC and OCR Update Security Risk Assessment Tool.

The Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR) recently updated the Security Risk Assessment (SRA) tool to improve its functionality and broaden its application to more health information risks.  The ONC and OCR conducted comprehensive usability testing of the prior version of the SRA tool (version 2.0) with health care practice managers to determine the necessary upgrades.  The result of that analysis led to the developmental improvements implemented in the current SRA tool (version 3.0).  Organizations can use the SRA tool to perform and satisfy the Health Insurance Portability and Accountability Act (HIPAA) Security Rule enterprise-wide risk analysis requirement.  An enterprise-wide risk analysis entails a robust review and analysis of confidentiality, integrity, and availability risks of electronic protected health information (ePHI) throughout all of its facilities, locations, and lines of business.

The SRA tool is designed for small to medium sized health care practices with 1 to 10 providers, covered entities, and business associates to identify risks and vulnerabilities to ePHI.  It provides enhanced functionality for documentation methods that organizations can use to implement or plan to implement security measures for ePHI protection.  In addition, the SRA tool includes the following new features:

  • Enhanced User Interface;
  • Modular workflow with question branching logic;
  • Custom Assessment Logic;
  • Progress Tracker;
  • Improved Threats and Vulnerabilities Rating;
  • Detailed Reports;
  • Business Associate and Asset Tracking; and
  • Overall improvement of the user experience.

The SRA tool website includes a revised User Guide to help organizations navigate the latest version of the tool.  Although it is useful in assessing risks and vulnerabilities of ePHI, the SRA tool is not intended to be an exhaustive source for safeguarding health information from privacy and security risks.

The HHS press release is available at: