Security Risk Assessments

September 9, 2019

By: Raul A. Tabora, Jr. and Craig W. Anderson

The HIPAA regulations - at 45 C.F.R. § 164.308(a)(1) – require covered entities and business associates to implement policies and procedures to prevent, detect, and correct security violations.  This requirement specifically mandates what is commonly referred to as a Security Risk Assessment (or “SRA”) in order to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities” to the electronic protected health information (“ePHI”) held by the covered entity or business associate.  

On July 30, 2019, the Office of the National Coordinator for Health Information Technology (“ONC”) made available a webinar further emphasizing the need for health care providers and business associates to conduct SRAs.  The webinar also encourages use of its SRA Tool, which was created in an effort to guide users through a series of questions based on standards set forth in the HIPAA Security Rule.  A direct link to the SRA Tool Webinar can be found under the “SRA Webinars” section on the HealthIT.gov website.  While the SRA Tool may not capture all of the potential risks and vulnerabilities to ePHI, it serves as a good starting point for those entities that need assistance in performing a full SRA.  

Should you have any questions on how your entity can perform an effective SRA, please contact Raul A. Tabora, Craig W. Anderson, any of the attorneys in our Health Care Practice, or the attorney in the firm with whom you are regularly in contact.