Problem solve Get help with specific problems with your technologies, process and projects.

The HHS security risk assessment tool for HIPAA audit prep

The HHS security risk assessment tool is designed to help healthcare providers meet the HIPAA security requirement. Expert Mike Chapple explains how it works and how it will help your company get ready for the upcoming HIPAA audits.

I saw that the U.S. Department of Health and Human Services released a tool that is supposedly meant to help small-...

and medium-sized physician offices conduct security risk assessments, a requirement under the HIPAA Security Rule. What exactly does the risk assessment tool do, and do you think it will help with producing reports for a HIPAA audit? Are there easier ways to accomplish the same task?

HHS recently released the Security Risk Assessment tool, designed to help covered entities comply with the requirement to conduct a risk assessment and assess their HIPAA compliance status. This tool, available for free from HealthIT.gov, is a great resource to help assess your compliance status and document the results of the assessment for use in a future HIPAA audit.

The tool, available for Windows 7 and iPad, walks you through the HIPAA Security Rule using a survey-style approach. It includes a series of 156 questions and asks you to identify the controls the organization has in place, and then describe those controls in detail. At the end, it produces a report that identifies areas requiring improvement and offers summary information about the organization's compliance status, such as these charts:

HHS security risk assessment report.
HHS security risk assessment report.

Larger organizations are already using a Governance, Risk and Compliance (GRC) product that provides these capabilities, along with more robust functionality. Small- and medium-sized covered entities who lack a GRC tool may find this is a valuable way to assess the current compliance posture of an enterprise and create an artifact useful for their next audit.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Is your company ready for the 2014 HIPAA audit? Mike Chapple has tip on the best ways to prep.

Here's what you need to know to pick the right information security risk assessment framework.

This was last published in September 2014

Dig Deeper on HIPAA

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

How is your firm getting ready for the upcoming HIPAA audit?