This is the third part of my series on HIPAA compliance tools, apps and hardware. This week I focus on the Security Risk Analysis tool published by the Department of Health and Human Services.
Creators: The Office of the National Coordinator for Health and Information Technology (“ONC”) was created in 2004 by executive order and established as a permanent entity in 2009 by HITECH. The mission of the ONC is “to support the adoption of health information technology and the promotion of nationwide health information exchange to improve health care.” They are tasked with the “coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information.” The web facing presence of the ONC is healthit.gov, which offers a wide array of information, services and even tools. The ONC is also coordinating some of the first grants being made available to the public to support health information exchange, workforce training, and peer learning.
Look and Feel: From the get go this application offers a very user friendly and intuitive experience. The dashboard has four tabs that allow you to create a username and password; basic business profile; document asset inventory; and list business associates. The asset inventory and business associate tabs come off as clear afterthoughts and have next to no functionality other than the ability to list BA’s and assets in a format that cannot be exported or contain any meaningful data.
Once inside, the application does a beautiful job of walking the user through a step by step security risk analysis with plenty of easy to use tutorials and FAQs.
Under the Hood: The survey within this tool has a modest 156 questions that draw their text from 45 CFR 164.308, 310 and 312. While some questions do lightly touch on Physical and Technical safeguards, this tool focuses predominantly on Administrative Safeguards. For a more thorough tool that covers Administrative, Physical and Technical safeguards, take a look at my review of the NIST toolkit. Unlike many other offerings on the market today, this tool creates a remarkably informative and downright educational experience, all while helping you perform a security risk analysis. This application is available in the app store and as an .exe file directly from the link above for free. One quick note, the mac version of this app only works on the iPad.
As one would expect, this app is accompanied by the stock and standard legal disclaimers stating that the tool is not to be construed as legal advice and does not guarantee legal compliance with HIPAA regulations. That said, this tool was created by the ONC; in collaboration with the Office of Civil Rights (the enforcement body for HIPAA violations); the Office of General Counsel; using the standards created by NIST; and all under the umbrella of the Department of Health and Human Services. Why is this important? As a rule of thumb, use the playbook of the opposing team when preparing for an encounter.
Use: To start, this app is rooted in a question and answer style approach. Accompanying each answer is a wealth of information (discussed below), all aimed at making the security risk analysis a painless experience. For example:
“Does your practice periodically complete an accurate and thorough risk analysis, such as upon occurrence of significant event or change in your business organization or environment?” Each question is answerable by yes, no or flag. When you click any of the options, the question expands and allows you to elaborate on the answer:
The expanded screen gives you three tabs that allow you to elaborate on what your current steps are to address the question; notes; and ultimately any necessary remediation to bring your policy/activities in line.
All in all, the survey is fairly standard and what you would expect from a program of this kind. That said, the real gem within this app are the three tabs located on the right hand side of the screen titled: Things to Consider; Threats and Vulnerabilities; and Examples of Safeguards. These three tabs are amazing resources. I find myself going into the app when I have a question, navigating to the appropriate code section and then digging into each of these tabs to get an answer.
The first two tabs offer a very basic interpretation of what the question is looking for and what to be aware of when answering. You can also click certain keywords and the tool with provide you with a basic definition. This is very handy if you are new to the HIPAA compliance game or your IT skills are not advanced. The last tab, Examples of Safeguards, is a gold mine of information. Not only does it provide you with different examples, but it gives you code section numbers and citations to NIST standards. This tab does a lot of the legwork you would have to do in order to figure out whether your safeguards count towards answering the question at hand. Finally, if you are a really looking to get into the nitty gritty definitions, there is a button that takes you to the browsable built in dictionary.
Once you have answered all of the questions (or even if you are part way through), an easy to use report is generated that organizes your responses into an easy to use format:
This format is exportable into an editable format (.xls) and does give you the ability to share it with others. Unfortunately, this tool is not collaborative and there is not a way I could find to upload an excel report back into the program after it had been exported. This means that the only person who can use the application is the one with it open on their desktop/iPad.
Final Thoughts: This tool is an excellent starting place for performing your own security risk analysis. While some features are clear afterthoughts (asset inventory and business associates), the meat of this tool is dynamic, educational and a valuable tool even after you have performed your security risk analysis. This is one of those rare times where I would like to see a new version that polishes the features and makes it collaborative. That said, this tool is a must have for any privacy, security or IT professional working in a HIPAA environment.
/s/HH @legallevity
Legal Levity 
5 thoughts on “Technology, HIPAA and You Part 3: HHS Security Risk Analysis Tool”