Earlier this month, the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) released an updated version of their Security Risk Assessment Tool (SRAT). We have been following the development of this toolkit since its inception in 2011 as the HSR toolkit and reviewed V2.0 in early 2014. Each time a new version is released, HIPAA One gathers with a few trusted industry partners to review the changes and updates so that we may accurately counsel healthcare providers, payers and business associates on the pros and cons of utilizing this free, government-issued application.
Before diving into our review of V3.0, it is important to note that HHS in no way states that by using SRAT, healthcare providers are assured compliance with the Security Risk Analysis requirement under HIPAA. Per the Health IT.gov website: “Disclaimer: The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws.”
This is not to say that SRAT does not have its merits. At HIPAA One, we firmly believe that SRAT can be an effective training tool for compliance professionals as well as a guideline for certified auditors. Despite being a time-consuming process, SRAT does provide step-by-step instructions similar to a bona fide HIPAA Security Risk Analysis. Healthcare professionals should merely be cautioned that without the guidance of a trained auditor, SRAT may or may not hold up in an audit scenario.
In short, the newly updated Security Risk Assessment Tool (SRAT) has made improvements mainly related to the user experience and follows the HIPAA Audit Protocol and NIST-based methodologies for calculating risk. One update, although mostly a file repository, is the bulk asset upload feature. This has been added along with a multi-location option for larger entities.
Furthermore, organizations seeking assistance with Business Associate Agreement (BAA) management will find that HHS has added a BAA-type function. However, it is important to note that this does not actually produce a BAA agreement.
Having the ability to enter asset type and status at different stages of the ePHI systems is great but, without having the ability to track or assign these questions, an inexperienced user may not be able to identify where some of the gaps came from.
As users work through the tool, they will find that questions now map back to the HIPAA citations (similar to our software). There are also “tips” added throughout the tool. That being said, the most significant update is the production of a Final Report (arguably the most crucial component in completing a risk analysis.) Much like the rest of the tool, the newly created Final Report has a flag attached as the results of this report are fairly arbitrary with a large margin of error based on how the user responds to the risk calculation.
Although SRAT it is a free tool (albeit funded by our taxpayer dollars) and updates have been made to create a better user experience, compared to other software solutions in the market place today, the tool still falls short. We frequently use the term “free like a puppy is free”. Aside from the tool being labor-intensive, mundane and error-prone; each measure results in multiple questions that need to be individually selected by one who knows how to estimate impact and likelihood year-over-year.
SRAT takes a single-user approach which means there is no way to collaborate on the assessment with others in the organization. This approach can result in the need for additional committee meetings to oversee remediation of identified risks. Also, because there is no option to delegate survey questions to employees in different roles, you may have someone in IT trying to answer HR related questions. Lastly, should users desire to go back to a previous section or revise an answer, navigation is difficult. Past sections are merely available through <BACK> and <NEXT>.
Being that SRAT does not save any historical data related to previous assessments, organizations who have completed risk assessments in past years are unable to import their old assessments and simply make updates reflective of the past year. Healthcare providers focused on creating a sustainable and long-lasting HIPAA compliant office, should seek out a tool that allows for year after year imports to decrease the amount of administrative work in completing a risk analysis each year.
When evaluating the accuracy and comprehensive nature of the tool, there are a few glaring issues that we would be remiss not to address. These are the aspects of SRAT that would require either the experience of a certified auditor or compliance professional in training to ensure the assessment is completed accurately.
Some of the issues not remedied by the V3.0 update include:
- No Calculation of Risk – Without an experienced Auditor who is qualified to answer and assess risk, the average user is required to assign a risk score to each question without guidance or training. For example, the generated gaps from the SRAT do not have a correlation or identify which HIPAA control requirement those policies need to be addressed.
- No Remediation Planning or Guidance – One critical component to completing a risk analysis is addressing and remediating the deficiencies and findings after the fact. The remediating planning process gives providers a framework for next steps and continued compliance.
- The Final Report – A component missing from the final report is an executive, high-level overview. Additionally, in the final report there is an inability to see if you have met partial requirements or if there is a policy that needs to be edited or changed. Lastly, there is no prescriptive recommendations for addressing any of the identified risks.
- No Included Policies and Procedures – SRAT does not include PnP templates nor does it review any current, existing PnP’s. This leaves providers at risk for continuing to use potentially outdated PnP templates and minimizes the possibility for a yearly review of these templates.
2018 HIPAA SRAT v3.0 tool
- Bulk asset upload
- Multiple location option
- Basic Business Associate Agreement (BAA) utility
- Questions map to HIPAA citation
- Guidance through on screen “tips”
- Simple Final report
- User guide
- No specified roles. One person is left to answer questions they may not be qualified to answer, from IT to HR.
- No auto calculation of risk. Without a certified auditor, answering and assessing risk for each of the questions is arbitrary.
- Does not provide an actual Business Associate Agreement (BAA).
- Navigation is difficult. Past sections are only available through <BACK> <NEXT>.
- Lots of clicks
- No remediation planning or guidance
- No review by an auditor to keep impartiality. No ongoing updates
- No policies and procedures provided or review of the providers policies. Could be older than 3 years
- No vulnerability scan for free linking back to software
- Graphs near the end that are not updatable and have a questionable purpose
- No importing assessments year after year
- Use of the SRAT tool will not guarantee you will pass an audit
Bottom line, this solution would work for compliance-in-training individuals or those who have the time but no funding to run a stand-alone SRA solution.
If your workplace is considering using the SRAT tool for your 2018 risk analysis, we would encourage you to take a look at our industry-leading automated software before doing so. At HIPAA One our software scales seamlessly based on your role and size of the organization. And with tiered pricing accessible for even single-doc physician practices, HIPAA One is the only choice for a guarantee to pass an audit using a simple, automated and affordable approach to conducting the annual HIPAA assessment.