Utilizing the CMSSecurity Risk Assessment Tool

Liz Hansen,

PCMH CEC, ICD-10 PMC

Special Consultant, GA-HITEC

Member Manager, GaHIN

678.640.4752

Overview Why is the Security Risk Assessment

(SRA) needed? Introduction of the CMS/OCR SRA

Tool How do you use the Tool? Review of Pros and Cons of Utilizing

Tool Q&A

Why is the SRA Needed? Health Insurance Portability and

Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization

Conducting a security risk assessment is a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, commonly known as the Meaningful Use Program

Why is the SRA Needed? A risk assessment helps your organization

ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards

A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk

Introduction to Tool Result of a collaborative effort by the HHS Office of the

National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR).

Designed to help practices conduct and document a risk assessment in a Thorough, organized fashion at their own pace

Facilitating assessment of information security risks in your organization under the HIPAA Security Rule.

The application, available for downloading at www.HealthIT.gov/security-risk-assessment

Also produces a report that can be provided to auditors.

DisclaimerThe Security Risk Assessment Tool at HealthIT.gov is provided

for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations.

The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office of Civil Rights the  HHS Office for Civil Rights Health Information Privacy website.

Introduction to Tool Downloading the SRA Tool (Windows version) To download the SRA Tool, navigate to ONC’s website at:

http://www.healthit.gov/securityrisk-assessment

Introduction to ToolNext, select the blue button located within

the Security Risk Assessment Tool” box.

Upon completion of this webinar, participants will be able to:

•Realize need for Risk assessment•Recognize availability of this resource•Demonstrate ability to access, download, start assessment•Determine pros and cons of utilizing

Once you select the button, you will be directed to the Security Risk Assessment Tool page

Navigate to the right side of the page to begin downloading the Windows version of the tool

Upon completion of this webinar, participants will be able to:

•Realize need for Risk assessment•Recognize availability of this resource•Demonstrate ability to access, download, start assessment•Determine pros and cons of utilizing

While your downloading experience may vary depending upon the internet browser you are using, all browsers should allow you to save the file on your desktop computer or laptop

Once prompted, select the arrow symbol next to the “Save” option

Upon completion of this webinar, participants will be able to:

•Realize need for Risk assessment•Recognize availability of this resource•Demonstrate ability to access, download, start assessment•Determine pros and cons of utilizing

From the menu options, select “Save As” then select the folder location where you would like to store your application

Finally, select the “Save” button Once you have downloaded the application

Double-click the icon and select “run” when prompted

The SRA Tool will open

Introduction to Tool

Demonstration – Using the Tool

Upon completion of this webinar, participants will be able to:

•Realize need for Risk assessment•Recognize availability of this resource•Demonstrate ability to access, download, start assessment•Determine pros and cons of utilizing

Pros & Cons

Upon completion of this webinar, participants will be able to:

•Realize need for Risk assessment•Recognize availability of this resource•Demonstrate ability to access, download, start assessment•Determine pros and cons of utilizing

What the SRA Tool Is: A Security Risk Assessment Tool Use of the Tool can support an organization’s risk assessment process Supports identification of conditions where Electronic Protected Health

Information (ePHI) could be disclosed without proper authorization, improperly modified, or made unavailable when needed

Responses to the questions in the SRA Tool can be used to help organizations identify areas where security controls designed to protect ePHI may need to be implemented or where existing implementations may need to be improved

Pros & Cons

Upon completion of this webinar, participants will be able to:

•Realize need for Risk assessment•Recognize availability of this resource•Demonstrate ability to access, download, start assessment•Determine pros and cons of utilizing

What the SRA Tool Is: Single User Downloadable to desktop Recommended for small to medium size offices Easy to use

Pros & Cons

Upon completion of this webinar, participants will be able to:

•Realize need for Risk assessment•Recognize availability of this resource•Demonstrate ability to access, download, start assessment•Determine pros and cons of utilizing

What the SRA Tool Is Not: A Multi-User Tool

- Not a collaborative multi-user tool to be used simultaneously by any users

- Single user at any one time with appropriate permissions to install and run the application on the desktop will use the tool to individually capture information

- However, multiple users may access the tool on separate occasions.

Pros & Cons

Upon completion of this webinar, participants will be able to:

•Realize need for Risk assessment•Recognize availability of this resource•Demonstrate ability to access, download, start assessment•Determine pros and cons of utilizing

What the SRA Tool Is Not: A Compliance Tool The SRA Tool does not produce a statement of compliance Use the SRA Tool in coordination with other tools and processes to

support HIPAA Security Rule – Risk Analysis compliance and risk management activities

Statements of compliance are the responsibility of the covered entity and the HIPAA Security Rule regulatory and enforcement authority

Please note that the SRA Tool does not cover additional Security Rule requirements

Does not provide mitigation or mitigation plan w/dates, or Policies & Procedures

Pros & Cons

Upon completion of this webinar, participants will be able to:

•Realize need for Risk assessment•Recognize availability of this resource•Demonstrate ability to access, download, start assessment•Determine pros and cons of utilizing

What the SRA Tool Is Not: A HIPAA Privacy Rule Tool The SRA Tool provides guidance in understanding the

requirements of the HIPAA Security Rule – Risk Analysis specifically

Does not include provisions for the HIPAA Privacy Rule

Downloadable on Windows 8

Resources GA-HITEC

877-658-1990

www.ga-hitec.org

CMS Incentive Programs

www.cms.gov/ehrincentiveprograms

www.HealthIT.gov/security-risk-assessment

http://www.healthit.gov/providers-professionals/security-risk-assessment

GA Medicaid Incentive Program

www.dch.georgia.gov/ehr

Q & ALiz Hansen,

PCMH CEC, ICD-10 PMC

Special Consultant, GA-HITEC

Member Manager, GaHIN

678.640.4752