The Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) established national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. One key safeguard required for compliance with the Security Rule is the completion of regular risk assessments. As we have previously reported, the absence of a formal risk assessment can be grounds for substantial fines for non-compliance with the Security Rule (see Lack of HIPAA Training and Risk Analysis cited in $1.7 Million HHS Settlement). As part of its regulatory and enforcement role, the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) established guidance that identifies the essential elements of a risk assessment.
The National Institute of Standards and Technology (NIST) released a “HIPAA Security Rule Toolkit” to assist covered entities and business associates with conducting a risk assessment, as required by HIPAA’s Security Rule. NIST’s toolkit is a single-user, stand-alone software that guides the user through the 45 specifications established by OCR. NIST designed the software to be used by both large entities and smaller entities with little IT knowledge or access. However, the technical questions can be difficult to answer without experience or background knowledge in IT and the Security Rule. Overall, the software can prove a valuable tool in getting entities started on the path of risk analysis or ensuring the risk analysis is sufficiently robust.
NIST’s toolkit is available on-line here.
