Upcoming Webinar on Security Risk Assessment Tool hosted by ONC and OCR

The office of the National Coordinator for Health Information Technology (ONC) and The Office for Civil Rights (OCR) are hosting a new webinar focused on the Security Risk Assessment Tool (SRA). The tool is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare & Medicaid Services (CMS) Electronic Health Record (EHR) Incentive Program.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. A risk assessment helps an organization ensure it is compliant with HIPAAā€™s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where an organizationā€™s protected health information (PHI) could be at risk.

The webinar is scheduled for September 23, 2021, from 2pm-3pm EDT or September 24, 2021, from 11am-12pm EDT and is being presented by ONC and OCR. The SRA tool and how it can be used at your organization as well as upcoming enhancements will be discussed at this webinar, with an opportunity to ask questions and provide feedback. The presentation will be the same for both sessions. Registration is limited to 3,000 participants for each presentation.

To register for the September 23, 2021, webinar 2pm-3pm, click here: Registration (gotowebinar.com).

To register for the September 24, 2021, webinar 11am-12pm, click here: Registration (gotowebinar.com)

The ONC, in collaboration with OCR, developed this downloadable Security Risk Assessment (SRA) Tool to guide users through the process of conducting a security risk assessment as required by the HIPAA Security Rule and the CMS Electronic Health Record (EHR) Incentive Program.

All information entered into the SRA Tool is stored locally on the usersā€™ computer or tablet. HHS does not receive, collect, view, store, or transmit any information entered into the SRA Tool. Results of the assessment are displayed in a report which can be used to determine risks in policies, processes, and systems. Methods to mitigate weaknesses are provided as the user is performing the assessment. The target audience is medium and small providers; thus, use of this tool may not be appropriate for larger organizations. The tool diagrams HIPAA Security Rule safeguards and provides enhanced functionality to document how the organization implements safeguards or plans to mitigate identified risks. The new SRA Tool is available for Windows computers and laptops. 

A link to download the Version 3.2 SRA can be found on healthIT.gov webpage.  The webpage can be accessed at: Security Risk Assessment Tool | HealthIT.gov.

Further details on how to use the tool can be found in the STA Tool 3.2 User Guide, which can be accessed at: SRA Tool User Guide (healthit.gov).

Issue:

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. The healthcare sector is now one of the largest victims of ransomware due to its vulnerability to breach of confidentiality and the critical nature of online patient records. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of HIPAA requirements. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 6 Data Integrity.

Discussion Points:

  • Review your policy and procedures on data integrity. Update as needed.
  • Determine the appropriate staff to attend the offered Webinar on either September 23rd or 24th. Train all staff on your data integrity policies and procedures. Document that the trainings occurred and file the signed document in each employeeā€™s education file.
  • Conduct the offered security risk assessment using the SRA tool, and guide your team to create action plans and mitigation for any identified issues. Periodically audit to ensure that all staff are adhering to your data integrity security measures.