Why You May Need

HIPAA compliant cloud servers

Risk Assessment

Download and install the free Security Risk Assessment Tool by HIPAA

Server Requirements

Learn what makes a cloud server fully HIPAA compliant

Website Compliance

Get a HIPAA compliant website from our partners at My Clinical Site

SRA Tool

Security Risk Assessment Tool

Security Risk Assessment Tool

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and its business associates conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. To learn more about the assessment process and how it benefits your organization, visit the Office for Civil Rights’ official guidance.

What is the Security Risk Assessment Tool (SRA Tool)?

The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), developed a downloadable Security Risk Assessment (SRA) Tool to help guide you through the process. The tool is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program. The target audience of this tool is medium and small providers; thus, use of this tool may not be appropriate for larger organizations.

Source: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

SRA Tool for Windows

The SRA Tool is a desktop application that walks users through the security risk assessment process using a simple, wizard-based approach. Users are guided through multiple-choice questions, threat and vulnerability assessments, and asset and vendor management. References and additional guidance are given along the way. Reports are available to save and print after the assessment is completed.

This application can be installed on computers running 64-bit versions of Microsoft Windows 7/8/10/11. All information entered into the tool is stored locally on the user’s computer. HHS does not collect, view, store, or transmit any information entered into the SRA Tool.

Download Version 3.3 of the SRA Tool for Windows [.msi – 70.3 MB] https://www.healthit.gov/sites/default/files/SRA-Tool-3.3.msi

SRA Tool Excel Workbook

This version of the SRA Tool takes the same content from the Windows desktop application and presents it in a familiar spreadsheet format. The Excel Workbook contains conditional formatting and formulas to calculate and help identify risk in a similar fashion to the SRA Tool application. This version of the SRA Tool is intended to replace the legacy “Paper Version” and may be a good option for users who do not have access to Microsoft Windows or otherwise need more flexibility than is provided by the SRA Tool for Windows.

This workbook can be used on any computer using Microsoft Excel or another program capable of handling .xlsx files. Some features and formatting may only work in Excel.

Download Version 3.3 of the SRA Tool Excel Workbook [.xlsx – 128 KB] https://www.healthit.gov/sites/default/files/page/2022-05/SRA_Tool_Excel_Workbook_3.3.xlsx

SRA Tool User Guide

Download the SRA Tool User Guide for FAQs and details on how to install and use the SRA Tool application and SRA Tool Excel Workbook.

Download SRA Tool User Guide [.pdf – 6.4 MB]. https://www.healthit.gov/sites/default/files/page/2022-05/SRA_Tool_3.3_User_Guide.pdf

What makes a server HIPAA compliant

Server Requirements

Strong firewall

Your hosting environment needs to fully implement firewalls. A perimeter firewall is just a starting point, you also need to have firewalls on the servers behind the main firewall. Moreover, you should use firewall technology that is system-wide for your HIPAA server.

Encrypted VPN

A VPN makes sure that your private connection to the internet stays private. Nowadays, VPNs are necessary for a safe browsing experience. Just remember that not all VPNs are the same, so you need to do research to find the best option.

Multi-factor authentication

Every person who has access to the server has to use multifactor authentication. This will either send them a code via an app or an SMS that they’ll have to type in to gain access.

Private hosted environment

If your platform isn’t privately hosted, it will be able to share its resources with other entities. On the other hand, a private environment ensures all information stays safe and secure.

SSL certificate

A secure socket layer, better known as an SSL certificate, needs to be established in all domains and subdomains of your website that have access to sensitive healthcare information. Every part of your website that requires login credentials needs to have an SSL certificate.

HIPAA, SOC 2 Type 2 and SOC 3 Type 2 certifications

You need to work with a service provider whose infrastructure has received certifications from the SOC 2 and SOC 3 reports. These reports require an audit that is based on the AICPA guidelines, including the operating effectiveness of controls.

Business Associate Agreement (BAA)

If you hire any third party to assist you with handling ePHI, you need to sign a BAA. This will ensure that both businesses are seriously taking their responsibilities of being HIPAA-compliant.

HIPAA Requirements

Website Compliance

Highly Secure, Fully Managed, HIPAA Compliant Websites for Health & Wellness Professionals

Why Choose WordPress with HIPAA Compliance?
My Clinical Site’s highly secure WordPress platform is a fully managed hosted solution, specifically designed for HIPAA compliance. It’s a key consideration for health & wellness professionals who are covered entities under HIPAA rules.

Health & Wellness practices and other handlers of PHI data will benefit from ease of use, plugins, the Enfold theme, and client portal features. Standard WordPress software is not secure for the storage or transfer of PHI (protected health information).

My Clinical Site’s managed WordPress hosting protects sensitive patient data while keeping your website running at optimum speed and high availability.

What makes My Clinical Site’s WordPress HIPAA Compliant?

1. Only the most current versions of MySQL and PHP (essential components of WordPress) are installed, and they are always up to date
2. Audit controls log all site access and record all activity that involves PHI
3. Strong Passwords and Two Factor Authentication plugins are standard in our HIPAA compliant WordPress installations
4. Secure updates are managed only through sFTP
5. 24x7x365 monitoring, with less than 300 seconds response to critical alerts
6. Over 95% rate of problem resolution on the first call

What Is Included in My Clinical Site’s HIPAA Compliant WordPress sites?

1. Configuration and Optimization
HIPAA Compliance
WordPress installation, configuration, & optimization
Strict Permission Rules
Administrator only access to WordPress backend
2. Managed Security Services
Optimal Apache Server Configuration
Uninterrupted Database Connection
Forced Strong Passwords and Two Factor Authentication
Daily Updated versions of MySQL and PHP
Audit controls log all site access involving PHI
Daily updated malware scans
24x7x365 monitoring
3. Any Future Updates & Hardening
4. Data Migration
Migration services for 2 databases
No-loss Transfer of all web content
Complimentary New host configuration
Complimentary WordPress configuration

What access do My Clinical Site customers get?

Anytime login to the WordPress admin area
Read posts and pages
Comment on posts and pages
Edit and delete unpublished posts and pages
Edit and delete published posts and pages
Publish posts and pages
Upload files to media library
Modify, edit and delete any post or page
Manage categories
Moderate comments
Edit the Enfold theme
Add or remove users (Author/Contributor/Subscriber level)
Manage Users (Editor/Administrator level)
Add/Remove Themes and Demo Sites
Install/Remove plugins and widgets
All Core/Plugin/Theme Updates (may be automated)