The ONC/OCR HIPAA Security Risk Assessment Tool: Review of Version 3.0’s New Features

The Health Insurance Portability and Accountability Act’s Security Rule was promulgated in 2003¹ and sets forth standards, implementation specifications, and requirements for the security of electronic protected health information (ePHI) by covered entities and business associates.² Performing a security risk assessment (SRA) has been one of the most challenging requirements for entities subject to HIPAA to understand and effectively implement. Small organizations particularly struggle, even as the requirement became a factor in providers’ payment under programs like Meaningful Use and  the Merit-based Incentive Payment System (MIPS), which pay incentives or impose reimbursement penalties against providers in part based on whether certified electronic medical records are used.³