HIPAA

Tool does not produce an SRA

  • 1.  Tool does not produce an SRA

    Posted 09-22-2020 09:35 AM
    Yes...there is a new version of the Security Risk Assessment Tool on the ONC website.  Keep in mind, as shared by the OCR during the last review of the tool...the tool does not produce a risk analysis that would meet the requirements listed in the Security Rule.  However, it  can serve as a useful tool to help entities assess their compliance with the Security Rule.

    Just want to share as I am sure there will be mixed messaging by non OCR sources.  This validation is recorded in several of the webinars that ONC held during the last review of the tool.  I have some questions on the new version that I submitted...and will continue to monitor OCR's position on the use of the tool.



    Posted: 6:34 AM AZ time

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Next Up:
    C&C...CPG OIG and 8B2.1

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    Melissa Alexander - June - CHC
    Theresa Veazey - June - CHC
    Barbara Zubeck - June - CHPC
    Patricia Radatz - June - CHC
    Anthony Fleming - July - CHC
    Laura Chaney - July - CHC
    James Maruyama - July - CHC
    Namrita Notani - July - CHC
    Lisa Campbell - August - CHC
    Susan Hammerschmidt - August - CHC
    Brandi Brooks - August - CHC
    Shari Singleton - August - CHC
    Rebecca Crane - August - CHC
    Meagan Bottrell - August - CHC
    Jill Lyons - August - CHC
    Camille Walton - September - CHC
    Danique Flax - September - CHC
    Melanie Schoonover - September - CHPC
    Meghan Smith - September - CHC
    Mandi Quigley - September - CHPC
    ------------------------------
    19th Annual CEI Virtual Conference


  • 2.  RE: Tool does not produce an SRA

    Posted 09-22-2020 10:20 AM

    It just seems non-sensical that they would put out an SRA tool that they won't accept as a valid SRA. I guess they are providing "guidance" and trying NOT to commit to/create a "standard".  

     

    Best Regards,

    Scot Lovejoy   

    Scot Lovejoy RPh. CHC CHPC

    Chief Pharmacy Officer

    Compliance Officer

    Agadia_itself (625x184) (625x184) (100x29)

    9 Campus Drive, Suite 200

    Parisippany, N.J. 07054

    (O) 973-540-8400  x227

    (C) 973-570-3803

    (F) 973-540-8440

     

    Confidentiality Notice:  This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure.  If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system.  Thank you.

    No copyright infringement intended.

     

     




    19th Annual CEI Virtual Conference


  • 3.  RE: Tool does not produce an SRA

    Posted 10-23-2020 07:53 AM

    Speaking of a valid SRA - aside from hiring an outside organization to provide one - what is everyone else using to perform their SRA? 

    Does anyone use frameworks such as NIST, ISO, etc.?



    ------------------------------
    Misty Booker, CHC, CHPC, CCSFP
    Security Compliance Analyst
    Knoxville, TN
    ------------------------------

    19th Annual CEI Virtual Conference


  • 4.  RE: Tool does not produce an SRA

    Posted 10-23-2020 11:01 AM
    I think the most used framework...BY FAR...is that offered or described in NIST 800-30.  I definitely see how ISO 270001 would easily fulfill the risk analysis requirement...because if let's say Computer Security was from A to Z....NIST 800-30 may go from A - J....where as ISO 270001 goes from A -Z....way more than required by HIPAA...not a bad thing.

    Just comparing scopes between the two...curious how others also consider the differences between the two frameworks.



    Posted: 7:58 AM AZ time

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Next Up:
    C&C...CPG OIG and 8B2.1

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    Melissa Alexander - June - CHC
    Theresa Veazey - June - CHC
    Barbara Zubeck - June - CHPC
    Patricia Radatz - June - CHC
    Anthony Fleming - July - CHC
    Laura Chaney - July - CHC
    James Maruyama - July - CHC
    Namrita Notani - July - CHC
    Lisa Campbell - August - CHC
    Susan Hammerschmidt - August - CHC
    Brandi Brooks - August - CHC
    Shari Singleton - August - CHC
    Rebecca Crane - August - CHC
    Meagan Bottrell - August - CHC
    Jill Lyons - August - CHC
    Camille Walton - September - CHC
    Danique Flax - September - CHC
    Melanie Schoonover - September - CHPC
    Meghan Smith - September - CHC***
    Mandi Quigley - September - CHPC
    Madhavi Perumpalath - September - CHC
    Cassie Brazelton - September - CHC
    Meghan Smith - September - CHPC***
    ------------------------------

    19th Annual CEI Virtual Conference


  • 5.  RE: Tool does not produce an SRA

    Posted 10-23-2020 12:05 PM

    Misty,

    HIPAA COW has a Risk Tool kit available on their site for free that is based on the NIST 800-30 framework.

    I haven't used it as we contract with an independent third party to do our SRA's but HIPAA COW has some very good resources.

     

    Best Regards,

    Scot Lovejoy   

    Scot Lovejoy RPh. CHC CHPC

    Chief Pharmacy Officer

    Compliance Officer

    Agadia_itself (625x184) (625x184) (100x29)

    9 Campus Drive, Suite 200

    Parisippany, N.J. 07054

    (O) 973-540-8400  x227

    (C) 973-570-3803

    (F) 973-540-8440

     

    Confidentiality Notice:  This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure.  If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system.  Thank you.

    No copyright infringement intended.

     

     




    19th Annual CEI Virtual Conference


  • 6.  RE: Tool does not produce an SRA

    Posted 10-23-2020 12:55 PM

    Thank you, Frank and Scot!

     

    I will check out the resource on HIPAA Cow. I've frequented the site and the resources are especially helpful.

    Frank, I haven't worked with either NIST or ISO so I am thankful for your comparison between the two, that is beneficial.

     

    On another note – HITRUST submission is happening NEXT WEEK!! All documents are going to be finished uploaded today, by our assessor. Final scores are being entered in right now. Two days ago we did realize that we needed to answer some additional factor questions that HITRUST added in which added 16 controls. Thankfully it didn't ding us TOO bad. We ended up with an additional three GAPs out of those. Overall – we ended up with ten GAPs out of 449 controls. So, I'm pleased.

     

    Now….. we wait for HITRUST to review and send us back their thoughts. 😊



    ------------------------------
    Misty Booker, CHC, CHPC, CCSFP
    Security Compliance Analyst
    Knoxville, TN
    ------------------------------

    19th Annual CEI Virtual Conference


  • 7.  RE: Tool does not produce an SRA

    Posted 10-23-2020 05:50 PM
    Way to go, Misty!  What an endeavor that must have been to get through it all!  Good to see you here again. Have a great weekend-

    ------------------------------
    Marie Wagner, CHC, CHRC
    Operations Manager, Corporate Compliance
    The Queen's Health Systems
    Honolulu, HI
    ------------------------------

    19th Annual CEI Virtual Conference