The U.S. Department of Health & Human Services has released a new security risk assessment tool to help health care providers in small to medium sized offices conduct security risk assessments of their organizations. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information. Conducting a security risk assessment is a key requirement of the HIPAA Security Rule and a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program.

Read also: CMS says no delay in ICD-10 compliance deadline

"By conducting these risk assessments, health care providers can uncover potential weaknesses in their security policies, processes and systems," according to an HHS news release. "Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data."

The application, available for download at, also produces a report that can be provided to auditors.

The SRA tool was developed by the HHS Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR).