The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires anyone who handles protected health information to implement reasonable physical, technical, and administrative safeguards.
But what does that mean? It means doing two things:
The risk assessment can be complicated. SRA Online is here to help.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and its business associates conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. To learn more about the assessment process and how it benefits your organization, visit the Office for Civil Rights' official guidance.
This implementation of the Security Risk Assessment uses the exact same questionnaire in the HealthIT.gov SRA Tool page, but has not been reviewed or endorsed by the Department of Health and Human Services, the Office of Civil Rights, or any local, state, or federal body.
Use of that tool or its materials is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. SRA Online is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.
The NIST Standards referenced in SRA Online are partially based on those provided by the SRA Tool at HealthIT.gov. The standards are provided for informational purposes only as they may reflect current best practices in information technology. They are not required for compliance with the HIPAA Security Rule’s requirements for risk assessment and risk management. SRA Online does recommend referring to the NIST Standards as you conduct your risk analysis.
SRA Online is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. SRA Online encourages providers, and professionals to seek expert advice when evaluating the use of SRA Online.