Kroll Launches Assessment Tool for HIPAA Final Rule Compliance

Kroll's Web-based security self-assessment tool allows IT companies designated as "business associates" to assess their compliance with the final HIPAA omnibus rule.

Security services firm Kroll Advisory Solutions has launched a Web-based self-assessment tool for companies to assess their risk for violating the Health Insurance Portability and Accountability Act (HIPAA).

Announced April 4, the Business Associate HIPAA Self Risk Assessment (BA HSRA) will enable business associates, which are third parties such as IT providers hired by health care organizations, to comply with HIPAA.

On Jan. 17, the Department of Health and Human Services (HHS) announced a final HIPAA omnibus rule that outlined how business associates must meet the privacy and security rules of HIPAA similarly to doctors, hospitals and health insurance providers.

As business associates, IT companies can be liable for data breaches.

"The HIPAA Omnibus rule has greatly expanded the scope of organizations required to comply, which will likely catch some vendors off guard, especially those who never considered themselves subject to enforcement by the OCR [U.S. Office of Civil Rights]," Danny Creedon, a managing director and leader of Kroll's IT Risk Assessment offerings, said in a statement. "Ultimately, the rule affects any organization that creates, receives, maintains or transmits PHI [protected health information] for a covered entity."

With OCR indicating that it will resume HIPAA compliance audits in the fall of 2013, businesses should re-evaluate their risk-management protocols, according to Creedon.

Kroll developed the tool along with Grant Peterson, chief compliance officer and founder of HIPAA Analytics.

The Web-based tool assesses company performance and provides insight on remediation along with forms for companies to attest to HIPAA compliance. Users can view information on how to proceed with HIPAA compliance.

Companies that use a Web-based tool to complete a HIPAA preparation assessment can receive results faster than traditional methods of collecting and aggregating responses, Brian Lapidus, head of the incident response and remediation group at Kroll Advisory Solutions, wrote in an email to eWEEK.

"The goal behind the tool is to provide an accurate snapshot of the strength of the organization's privacy and security measures as related to HIPAA requirements," Lapidus wrote. "With this information in hand, the entity can make a determination as to what is an acceptable risk, and what needs to be remediated."

In addition to the assessment tool for business associates or subcontractors, Kroll offers an HSRA for covered entities, which are typically health care providers.

The HIPAA Security Rule requires both covered entities and business associates to protect electronic PHI, according to HHS.

This rule also requires covered entities and business associates to conduct a risk assessment, Lapidus noted.

The tool's components include a preparation guide, a risk assessment, report generation, a road map on how to fix security holes, and documentation that explains how to "self-attest" to HIPAA regulations.

In addition to HIPAA, the Kroll tool is based on the Special Publication 800 Series from the National Institute of Standards and Technology (NIST), the agency within the Commerce Department that develops and applies technology standards.

The Kroll tool's questionnaire asks a company to what extent its policies address disclosure of PHI. The risk assessment's score is color-coded according to an organization's preparation—green for "more satisfactory," yellow for "some controls" and red for "unsatisfactory." Health care providers or IT companies (business associates) receive an overall score and domain scores broken out into categories such as data collection and physical safeguards for security.