Utilizing the CMS Security Risk Assessment Tool Liz Hansen, PCMH CEC, ICD-10 PMC Special Consultant, GA-HITEC Member Manager, GaHIN

Overview  Why is the Security Risk Assessment (SRA) needed?  Introduction of the CMS/OCR SRA Tool  How do you use the Tool?  Review of Pros and Cons of Utilizing Tool  Q&A

Why is the SRA Needed?  Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization  Conducting a security risk assessment is a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, commonly known as the Meaningful Use Program

Why is the SRA Needed?  A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards  A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk

Introduction to Tool  Result of a collaborative effort by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR).  Designed to help practices conduct and document a risk assessment in a  Thorough, organized fashion at their own pace  Facilitating assessment of information security risks in your organization under the HIPAA Security Rule.  The application, available for downloading at  Also produces a report that can be provided to auditors.

Disclaimer The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office of Civil Rights the HHS Office for Civil Rights Health Information Privacy website.

Introduction to Tool  Downloading the SRA Tool (Windows version) To download the SRA Tool, navigate to ONC’s website at:

Introduction to Tool  Next, select the blue button located within the Security Risk Assessment Tool” box.

Upon completion of this webinar, participants will be able to: Realize need for Risk assessment Recognize availability of this resource Demonstrate ability to access, download, start assessment Determine pros and cons of utilizing  Once you select the button, you will be directed to the Security Risk Assessment Tool page  Navigate to the right side of the page to begin downloading the Windows version of the tool

Upon completion of this webinar, participants will be able to: Realize need for Risk assessment Recognize availability of this resource Demonstrate ability to access, download, start assessment Determine pros and cons of utilizing  While your downloading experience may vary depending upon the internet browser you are using, all browsers should allow you to save the file on your desktop computer or laptop  Once prompted, select the arrow symbol next to the “Save” option

Upon completion of this webinar, participants will be able to: Realize need for Risk assessment Recognize availability of this resource Demonstrate ability to access, download, start assessment Determine pros and cons of utilizing  From the menu options, select “Save As” then select the folder location where you would like to store your application  Finally, select the “Save” button  Once you have downloaded the application  Double-click the icon and select “run” when prompted  The SRA Tool will open Introduction to Tool

Demonstration – Using the Tool Upon completion of this webinar, participants will be able to: Realize need for Risk assessment Recognize availability of this resource Demonstrate ability to access, download, start assessment Determine pros and cons of utilizing

Pros & Cons Upon completion of this webinar, participants will be able to: Realize need for Risk assessment Recognize availability of this resource Demonstrate ability to access, download, start assessment Determine pros and cons of utilizing What the SRA Tool Is:  A Security Risk Assessment Tool  Use of the Tool can support an organization’s risk assessment process  Supports identification of conditions where Electronic Protected Health Information (ePHI) could be disclosed without proper authorization, improperly modified, or made unavailable when needed  Responses to the questions in the SRA Tool can be used to help organizations identify areas where security controls designed to protect ePHI may need to be implemented or where existing implementations may need to be improved

Pros & Cons Upon completion of this webinar, participants will be able to: Realize need for Risk assessment Recognize availability of this resource Demonstrate ability to access, download, start assessment Determine pros and cons of utilizing What the SRA Tool Is:  Single User  Downloadable to desktop  Recommended for small to medium size offices  Easy to use

Pros & Cons Upon completion of this webinar, participants will be able to: Realize need for Risk assessment Recognize availability of this resource Demonstrate ability to access, download, start assessment Determine pros and cons of utilizing What the SRA Tool Is Not:  A Multi-User Tool - Not a collaborative multi-user tool to be used simultaneously by any users -Single user at any one time with appropriate permissions to install and run the application on the desktop will use the tool to individually capture information -However, multiple users may access the tool on separate occasions.

Pros & Cons Upon completion of this webinar, participants will be able to: Realize need for Risk assessment Recognize availability of this resource Demonstrate ability to access, download, start assessment Determine pros and cons of utilizing What the SRA Tool Is Not:  A Compliance Tool  The SRA Tool does not produce a statement of compliance  Use the SRA Tool in coordination with other tools and processes to support HIPAA Security Rule – Risk Analysis compliance and risk management activities  Statements of compliance are the responsibility of the covered entity and the HIPAA Security Rule regulatory and enforcement authority  Please note that the SRA Tool does not cover additional Security Rule requirements  Does not provide mitigation or mitigation plan w/dates, or Policies & Procedures

Pros & Cons Upon completion of this webinar, participants will be able to: Realize need for Risk assessment Recognize availability of this resource Demonstrate ability to access, download, start assessment Determine pros and cons of utilizing What the SRA Tool Is Not:  A HIPAA Privacy Rule Tool  The SRA Tool provides guidance in understanding the requirements of the HIPAA Security Rule – Risk Analysis specifically  Does not include provisions for the HIPAA Privacy Rule  Downloadable on Windows 8

Resources GA-HITEC CMS Incentive Programs GA Medicaid Incentive Program

Q & A Liz Hansen, PCMH CEC, ICD-10 PMC Special Consultant, GA-HITEC Member Manager, GaHIN