4 Considerations When Using ONC’s HIPAA Security Risk Assessment Tool

A HIPAA Security Risk Assessment Tool was released by the Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR) on Friday, March 28, 2014.  The tool is a downloadable software application that is intended to be a resource for providers to use to assist in reviewing the measures they have taken to implement the requirements of the HIPAA Security Rule.

In the Security Risk Assessment Tool’s User Guide, ONC states that the tool is intended for small to medium sized practices (typically 1-10 health care providers).  Further, the User Guide notes that the tool cannot be used by multiple users as a collaborative process, but is rather a single user tool.  ONC cautions that the tool does not produce a statement of compliance and should be used in coordination with other tools and processes and further reminds users that the tool does not address the HIPAA Privacy Rule.

The tool can also be downloaded as a paper copy (with separate Word documents available for Administrative Safeguards, Physical Safeguards and Technical Safeguards).

The following are 4 considerations for covered entities and business associates interested in utilizing this tool:

  1. Consider completing the tool as a team rather than individually.  Implementation of the HIPAA Security Rule generally requires input from various employees and business partners, such as owners, managers, practitioners and IT personnel or contractors.  Even though the tool is a single user tool, the forms could be printed out first and worked on as a collaborative effort.  Multiple versions of the tool could create risk for the organization (e.g., because of conflicting answers from multiple individuals as far as what is “reasonable and appropriate” for the entity).
  2. Prior to using the tool, users should look to the HIPAA Security Rule for the proper application of the HIPAA Security Rule with regard to required vs. addressable implementation specifications.  For addressable specifications, a HIPAA covered entity or business associate may determine that the specification is not reasonable and appropriate.  If the specification is not reasonable or appropriate then the covered entity or business associate must document why it is not reasonable and appropriate and an equivalent alternative measure that was taken.  The ONC Security Risk Assessment tool could create confusion in this area because it gives users the option of choosing any of the following in connection with a negative response to any question:  size, complexity, cost or alternate solution implemented.  While this language appears to reflect the flexibility and scalability of the HIPAA Security rule, it is important to understand that while covered entities and business associates are afforded a certain degree of flexibility when choosing specific security measures, the required implementation specifications must be met by all covered entities and business associates.
  3. Consider involving an attorney in the risk assessment process so that the attorney client privilege can be utilized to the extent possible for the protection of draft documents and discussions related to feasibility of certain security measures, etc.
  4. Consider using this tool as a checklist or self-audit tool even if the entity does not fall within the intended audience cited by ONC (small to medium health care practice).  This tool gives valuable insight into ONC and OCR’s interpretation of the HIPAA Security standards and implementation specifications and would be useful for larger organizations and business associates as well.


  1. […] can meet the Electronic Health Record (EHR) Stage 2 Meaningful Use requirements.  Similar to the HIPAA Security Risk Tool Assessment which was released on March 28, CMS cautions that the Meaningful Use Calculator […]

Speak Your Mind