As a single practice HIPAA Security Rule training app or a HIPAA SRA workbench, the tool is not bad. The ONC/HHS HIPAA Security Risk Assessment Tool is a vast improvement over the 2011 HSR Toolkit for those scenarios. It has fewer questions, a status bar that displays relative SRA completion status, reports that can be exported to PDF or Excel are available at any time throughout the process. I have listed my subjective opinion in the following bullet points:
- The tool’s design lends itself to physician and small health provider practices. It is not designed for health plans or business associates.
- A single office location is requested when setting up an SRA but the SRA Tool question set does not address locations. Thus, by default the tool is location specific so it does not lend itself to health care providers with multiple locations.
- User access to the tool is completely based on the honor system. The ability to restrict specific user activity within the tool does not exist and the ability to track specific user activity within the tool is very limited. While there is functionality that distinguishes separate users who can each “Log In” (i.e. so that there is the appearance of multiple user “accounts”), there are no passwords assigned to these users so any user can log in as any other user. Moreover, the tool user guide states “the SRA Tool will save the answers based on the internet protocol (IP) address used by the computer or server”. Yet, the tool is not client-server or cloud based, so it is unclear how a team or group of people would use the tool, much less monitor or audit its use.
- HHS’ website states that “there are a total of 156 questions” and the tool’s navigator panel shows that these are contained in 12 groups or categories. However, each of the 156 questions has questions of their own so that complete answers (which the tool apparently doesn’t require) causes that number (156) to be multiplied at least by 3 for answering a question “Yes”, by 4 for answering a question “No”. For example, answering “No” to the first question (A01) requires the user to answer a total of three additional questions: 1) Select your reason for answering no, 2) Is the likelihood of an incident occurring — because of (the vulnerability posed by) not having the requested policies and procedures — low, medium or high?, and 3) Would the impact of an incident occurring — from not having the requested policies and procedures — be low, medium or high? There is also an optional “Flag” checkbox to call attention to a question for later review.
- Answers marked “Yes” can be saved without citing evidence and answers marked “No” can be saved without adding an explanation, including “Addressable” questions. If multiple people are involved in performing the SRA (which HHS recommends) this seems to be undesirable.
- Questions are not specific to individual EMR systems, so answering questions for multiple EMR or ePHI systems is something that can only be addressed manually in the answer notes provided for questions that pertain to ePHI systems.
- The tool’s website downloads page (http://www.healthit.gov/providers-professionals/security-risk-assessment-tool) states “You can document your answers, comments, and risk remediation plans directly into the SRA Tool. The tool serves as your local repository for the information and does not send your data anywhere else.” However, artifact curation is not possible within the tool, so the SRA artifact repository that supplies the evidence of compliance an auditor may want to see would need to be referenced within the tool’s free text fields and set up separately.
- The tool’s risk rating assistance is quite limited. The tool’s risk rating for a given question (as reflected in the SRA report) appears to be based strictly on the “Likelihood” rating that the user sets manually for that item, regardless of the question. Thus, a manually assigned “Impact” rating of High or Medium does not (appear to) affect the risk rating in the SRA Report.
- Be careful adding anything into the Notes field on the Notes tab. Notes can only be added. They cannot be modified or deleted.
- There is a bug in the version I tested (Windows version v1.3) where, if you try to modify the columns in the report using the “Show / hide columns” feature, the columns popup-box does not disappear and will be in the way until the user closes and re-starts the app.
Other upgrades to the ONC’s Security Risk Analysis Tool include: a colorful green-yellow-red dashboard-style chart, a glossary of terms and other helps like “Things to Consider”, possible threats and vulnerabilities, and examples safeguards for each question asked. It will probably speed up the HIPAA SRA process for small providers who want to “go it alone”. However, outside the scope of small, single location practices, the SRA Tool will be difficult to use.
Feel free to visit the SRA Tool’s website downloads page (http://www.healthit.gov/providers-professionals/security-risk-assessment-tool) and feel free to express your opinion on our website below.
Steven Marco, CISA, ITIL and co-authored by Joe Grettenberger, CISA, CCEP, ITIL.