I saw that the U.S. Department of Health and Human Services released a tool that is supposedly meant to help small-...
and medium-sized physician offices conduct security risk assessments, a requirement under the HIPAA Security Rule. What exactly does the risk assessment tool do, and do you think it will help with producing reports for a HIPAA audit? Are there easier ways to accomplish the same task?
HHS recently released the Security Risk Assessment tool, designed to help covered entities comply with the requirement to conduct a risk assessment and assess their HIPAA compliance status. This tool, available for free from HealthIT.gov, is a great resource to help assess your compliance status and document the results of the assessment for use in a future HIPAA audit.
The tool, available for Windows 7 and iPad, walks you through the HIPAA Security Rule using a survey-style approach. It includes a series of 156 questions and asks you to identify the controls the organization has in place, and then describe those controls in detail. At the end, it produces a report that identifies areas requiring improvement and offers summary information about the organization's compliance status, such as these charts:
Larger organizations are already using a Governance, Risk and Compliance (GRC) product that provides these capabilities, along with more robust functionality. Small- and medium-sized covered entities who lack a GRC tool may find this is a valuable way to assess the current compliance posture of an enterprise and create an artifact useful for their next audit.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Is your company ready for the 2014 HIPAA audit? Mike Chapple has tip on the best ways to prep.
Here's what you need to know to pick the right information security risk assessment framework.
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading