The National Institute of Standards and Technology (NIST) has recently released a HIPAA Security Rule Toolkit to help organizations comply with the HIPAA Security Rule.
From their website:
The NIST HIPAA Security Toolkit Application is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance services. Target user organizations can range in size from large nationwide health plans with vast information technology (IT) resources to small health care providers with limited access to IT expertise.
I took a look at the toolkit and can see a lot of thought and work has gone into it. There are questions that address the Administrative, Physical and Technical safeguards. The questions are Yes / No / Not Applicable. Some questions require text to be entered such as listing the systems that use encryption. Supporting documentation to a question can be uploaded to the tool. The below is an example of how a question can be answered and supporting documentation can be uploaded:
Has your organization developed, disseminated, reviewed/updated, and trained on your Risk Assessment policies and procedures?
–If yes, select Yes below and please attach your policy and procedure currently in use and please include your review/update schedule and training schedule.
A deeper look
As I mentioned the Security Rule Toolkit is a product of a lot of time and effort. What I struggle with is exactly who the audience for the Toolkit is. Looking once again at the NIST website they state:
Target user organizations can range in size from large nationwide health plans with vast information technology (IT) resources to small health care providers with limited access to IT expertise.
If the target user organization is small health care providers with limited access to IT expertise, I am not sure the toolkit has hit its mark. There are 809 questions that need to be answered. Who in a small medical practice is going to have the time to answer each of those questions? In addition, some of the questions themselves are not that easy to understand and/or to answer. Let’s take a look at the 7th question in the toolkit:
Has your organization identified the types of information and uses of that information and the sensitivity of each type of information been evaluated (also link to FIPS 199 and SP 800-60 for more on categorization of sensitivity levels)?
–If yes, select Yes below and please attach the configuration documentation.
–If no, select No below.
SP 800-66 4.1.1 Security Management Process: Identify Relevant Information Systems
I had to reread that question a few times to understand what they were asking. I can see Practice Administrators getting frustrated as they go through the questions. I can see this toolkit being more useful to organizations that have IT support and can help answer the questions.
For organizations looking for a do it yourself (DIY) approach to a HIPAA Risk Assessment, this toolkit is very useful. Although the amount of questions, the requirement for uploading supporting documentation, and the lack of easy to understand questions will make for a frustrating experience for those without detailed knowledge of the HIPAA Security Rule.