The risk-rating features of a new tool developed by the Office of the National Coordinator for Health IT to help healthcare providers in small to medium sized physician offices conduct security risk assessments (SRA) need improvement. Released in late March, the SRA tool is designed by ONC to help practices that include 1 to 10 providers with HIPAA requirements for securing protected health information. However, more guidance about how to rate real-world threats to ePHI is required to make the tool useful.

"The tool allows users to rate as 'Low,' 'Medium', or 'High' the 'Likelihood of harm' and the 'Impact of harm' related to each security rule requirement the tool evaluates," states a review posted in an April 14 blog by Randal L. Gainer, a privacy attorney and certified security professional  at Seattle law firm BakerHostetler. "Yet the tool offers incomplete guidance regarding why the risks associated with each requirement should fall into the 'Low' category as opposed to the 'Medium' or 'High' category. Users are left to guess whether failing to comply with a requirement would have a low, medium, or high likelihood of affecting the confidentiality, integrity, or availability ePHI, and whether the impact of such an effect would be 'Low,' 'Medium,' or 'High.'"

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access