SRA Tool
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and its business associates conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. To learn more about the assessment process and how it benefits your organization, visit the Office for Civil Rights’ official guidance.
The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), developed a downloadable Security Risk Assessment (SRA) Tool to help guide you through the process. The tool is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program. The target audience of this tool is medium and small providers; thus, use of this tool may not be appropriate for larger organizations.
Source: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
The SRA Tool is a desktop application that walks users through the security risk assessment process using a simple, wizard-based approach. Users are guided through multiple-choice questions, threat and vulnerability assessments, and asset and vendor management. References and additional guidance are given along the way. Reports are available to save and print after the assessment is completed.
This application can be installed on computers running 64-bit versions of Microsoft Windows 7/8/10/11. All information entered into the tool is stored locally on the user’s computer. HHS does not collect, view, store, or transmit any information entered into the SRA Tool.
Download Version 3.3 of the SRA Tool for Windows [.msi – 70.3 MB] https://www.healthit.gov/sites/default/files/SRA-Tool-3.3.msi
This version of the SRA Tool takes the same content from the Windows desktop application and presents it in a familiar spreadsheet format. The Excel Workbook contains conditional formatting and formulas to calculate and help identify risk in a similar fashion to the SRA Tool application. This version of the SRA Tool is intended to replace the legacy “Paper Version” and may be a good option for users who do not have access to Microsoft Windows or otherwise need more flexibility than is provided by the SRA Tool for Windows.
This workbook can be used on any computer using Microsoft Excel or another program capable of handling .xlsx files. Some features and formatting may only work in Excel.
Download Version 3.3 of the SRA Tool Excel Workbook [.xlsx – 128 KB] https://www.healthit.gov/sites/default/files/page/2022-05/SRA_Tool_Excel_Workbook_3.3.xlsx
Download the SRA Tool User Guide for FAQs and details on how to install and use the SRA Tool application and SRA Tool Excel Workbook.
Download SRA Tool User Guide [.pdf – 6.4 MB]. https://www.healthit.gov/sites/default/files/page/2022-05/SRA_Tool_3.3_User_Guide.pdf
What makes a server HIPAA compliant
Your hosting environment needs to fully implement firewalls. A perimeter firewall is just a starting point, you also need to have firewalls on the servers behind the main firewall. Moreover, you should use firewall technology that is system-wide for your HIPAA server.
A VPN makes sure that your private connection to the internet stays private. Nowadays, VPNs are necessary for a safe browsing experience. Just remember that not all VPNs are the same, so you need to do research to find the best option.
Every person who has access to the server has to use multifactor authentication. This will either send them a code via an app or an SMS that they’ll have to type in to gain access.
If your platform isn’t privately hosted, it will be able to share its resources with other entities. On the other hand, a private environment ensures all information stays safe and secure.
A secure socket layer, better known as an SSL certificate, needs to be established in all domains and subdomains of your website that have access to sensitive healthcare information. Every part of your website that requires login credentials needs to have an SSL certificate.
You need to work with a service provider whose infrastructure has received certifications from the SOC 2 and SOC 3 reports. These reports require an audit that is based on the AICPA guidelines, including the operating effectiveness of controls.
If you hire any third party to assist you with handling ePHI, you need to sign a BAA. This will ensure that both businesses are seriously taking their responsibilities of being HIPAA-compliant.
HIPAA Requirements
Why Choose WordPress with HIPAA Compliance?
My Clinical Site’s highly secure WordPress platform is a fully managed hosted solution, specifically designed for HIPAA compliance. It’s a key consideration for health & wellness professionals who are covered entities under HIPAA rules.
Health & Wellness practices and other handlers of PHI data will benefit from ease of use, plugins, the Enfold theme, and client portal features. Standard WordPress software is not secure for the storage or transfer of PHI (protected health information).
My Clinical Site’s managed WordPress hosting protects sensitive patient data while keeping your website running at optimum speed and high availability.
1. Only the most current versions of MySQL and PHP (essential components of WordPress) are installed, and they are always up to date
2. Audit controls log all site access and record all activity that involves PHI
3. Strong Passwords and Two Factor Authentication plugins are standard in our HIPAA compliant WordPress installations
4. Secure updates are managed only through sFTP
5. 24x7x365 monitoring, with less than 300 seconds response to critical alerts
6. Over 95% rate of problem resolution on the first call
1. Configuration and Optimization
HIPAA Compliance
WordPress installation, configuration, & optimization
Strict Permission Rules
Administrator only access to WordPress backend
2. Managed Security Services
Optimal Apache Server Configuration
Uninterrupted Database Connection
Forced Strong Passwords and Two Factor Authentication
Daily Updated versions of MySQL and PHP
Audit controls log all site access involving PHI
Daily updated malware scans
24x7x365 monitoring
3. Any Future Updates & Hardening
4. Data Migration
Migration services for 2 databases
No-loss Transfer of all web content
Complimentary New host configuration
Complimentary WordPress configuration
Anytime login to the WordPress admin area
Read posts and pages
Comment on posts and pages
Edit and delete unpublished posts and pages
Edit and delete published posts and pages
Publish posts and pages
Upload files to media library
Modify, edit and delete any post or page
Manage categories
Moderate comments
Edit the Enfold theme
Add or remove users (Author/Contributor/Subscriber level)
Manage Users (Editor/Administrator level)
Add/Remove Themes and Demo Sites
Install/Remove plugins and widgets
All Core/Plugin/Theme Updates (may be automated)
MY CLINICAL SERVER / MY CLINICAL SITE / AMERICAN CLINICAL GROUP
Alpharetta, GA 30022 USA
support@myclinicalserver.com
© 2023 American Clinical Group. All rights reserved. Trademarks are the property of their respective owners.