ONC's first app is a HIPAA security assessment tool for smaller practices

By Brian Dolan
Share

HIPAA Security AssessmentThe Office of the National Coordinator for Health Information Technology (ONC), HHS Office for Civil Rights (OCR) and the HHS Office of the General Counsel (OGC), c0-developed a free mobile app and web tool to help small- to medium-sized healthcare practices better assess security issues and risks associated with HIPAA. The app is available for download from Apple's App Store for iPad users and from the ONC's site for Windows OS laptop and desktop users.

Notably, this is the first mobile app from the ONC.

The SRA Tool app reorganizes some of the content of the HIPAA Security Rule into 156 questions that aim to help providers conduct and document security assessments. Within the app a "yes" or "no" answer to each of these questions could trigger suggestions for action the practice may need to take. The questions cover "basic security practices, security failures, risk management, and personnel issues", according to the tool's user guide (PDF).

"Basic security practice questions include defining and managing access, backups, recoveries, and technical and physical security," the user guide states. "Risk management questions address periodic reviews and evaluations and can include regular functions, such as continuous monitoring. Lastly, personnel issue questions address access to information as well as the on-boarding and release of staff."

The app aims to help users better understand the context of each of the 156 questions and to help users better consider potential impacts to PHI if certain requirements aren't met.

ONC writes in the tool's user guide that the app is not meant to be used by multiple users at one time -- it's not a collaborative tool. It's also not a compliance tool, according to ONC, which writes that the "SRA Tool does not produce a statement of compliance". The app is also not a general HIPAA privacy rule tool since it is focused on risk analysis specifically, so to understand all of the provisions of the HIPAA privacy rule, users would need to look elsewhere.