HIPAA Blog

[ Wednesday, September 10, 2025 ]

 

HHS' OCR, Asst. Secretary for Health Policy Release Latest Version of Security Risk Analysis Tool: If you've followed HIPAA much, you are aware that Security Rule compliance has always lagged Privacy Rule compliance.  At least part of this is because Privacy Rule requirements are much more of a one-size-fits-all regime, whereas Security Rule compliance requires a lot of individual customization.  It's easier to just do what you are told ("give everybody a NoPP") versus having to decide what to do ("consider the risks associated with failure to properly warn patients about potential data uses and provide appropriate advice and guidance to them").

To assist HIPAA covered entities and business associates, OCR, NIST, and ONCHIT combined to produce a very useful (but somewhat cumbersome) "security risk analysis tool" that covered entities can use to conduct a risk analysis, determine what their HIPAA and other data security risks are, and craft safeguards that are appropriate for their operations.  You can't know what you need to fix or protect unless you've done a risk analysis, and this is a good starting point if you don't have any other idea where to start.

Failure to conduct an appropriate security risk analysis is one of the most common, if not THE most common, cited area of failure when OCR issues a fine for a HIPAA violation.  Additionally, last year OCR announced a specific new effort, similar to its enforcement focus on patients' right to access, to target covered entities and business associates that failed to conduct a proper risk analysis. 

OCR has now issued an updated tool, version 3.6, which is available here.



Jeff [8:49 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template