Security Risk Assessment, What it is and How to Conduct One

MessageThis Webinar is over
Date Jul 9, 2015
Time 12:00 PM EDT
Cost $139.00
Overview: In this session we will demystify the reasons to and the process of conducting a Security Risk Assessment ("SRA"). Starting with a discussion of the implications of not conducting an SRA you will understand the liability landscape presented by a variety of governmental agencies. We will then move on to present the impact the SRA has on your revenue cycle, and the operation of your practice. We will discuss how your SRA impacts your web presence, your Business Associates, and other organizations you and your practice work with, including billing companies, durable medical equipment suppliers ("DME"), volunteers, attorneys and accountants. 

We will then explain the why the SRA is the cornerstone of your HIPAA compliance program and how to conduct one per the requirements of the HIPAA/HITECH regulations.

At the end of this session the attendee will understand how the SRA fills a role in determining what constitutes HIPAA compliance, and how to understand what is really meant by the terminology commonly encountered, and misunderstood, when discussing the components of the SRA. We will discuss major areas of the SRA; the Technical, Physical and Administrative Safeguards, in such a way that the attendee will understand what they mean and how to address them.

We will cover a couple of specific ambiguities and discuss some examples encountered in the SRA. We will explain and demonstrate how to work through the ambiguities, and draw a conclusion that allows you to take defensible action. In this section we will show you what reference materials are available, and work through at least one example of an ambiguity, and show you how to reach defensible solution. We will also explain what constituted a defensible solution and why it is important.

We will cover the concepts and terms encountered when discussing the SRA; what the SRA, actually, is and what are you obligations under HIPAA. We will discuss the misconceptions around terms such as the Security and Privacy Regulations, what do Technical, Administrative and Physical Safeguards really mean. We will cover the ramifications of not complying with HIPAA requirements for an SRA when you have a reported breach, and discuss why having completed the SRA is only the beginning of the process, not the end. 

After covering the generalities, the presentation will then focus on specific concepts and terms that are common to breaches that have been reported over the last few years, and how having conducted an appropriate SRA would have prevented or minimized the impact of the breach. We will work through some of the myths encounter when discussing SRAs, explain why they exist and demystify them to give the attendee the "truth" behind these myths.

As we work through the language of the RSRA, we will not discuss the terminology and concepts from a high level view, but rather with the goal of providing sufficient detail so the attendee will leave with actionable items. Finally, the objective of this presentation is not to make you an expert on conducting an SRA, and why that would be difficult, but rather give you the information you need to ask the right questions of your Chief Privacy and/or Security Officer(s), or consultant. 

Why should you attend: Less than 80% of entities are conducting their required Security Risk Assessment ("SRA"); even those entities who have attested for Meaningful Use. A Security Risk Assessment is a regulatory requirement for both Meaningful Use and HIPAA compliance, and where your compliance program begins. Failure to conduct this cornerstone of HIPAA compliance puts you on the wrong side of the Office for Civil Rights (OCR) along with other federal and state agencies, right from the start. Add to this the expansion of more and more tort actions, with larger and larger jury awards. But that isn’t even the extend of the damage. Costs associates with fines and penalties only account for 15% of the total cost of a breach, to your practice. For your consideration; recent surveys of patient sentiment indicate that:
  • 2/3 of patients do not have confidence that their healthcare provider is doing enough to keep their information private
  • 54% of patients would change providers if they found one they believed had the ability to keep their information confidential
  • 12% of patients say they withhold information from their healthcare provider because of privacy concerns
In this session you will learn the when and why to conduct your SRA. We will show you what you need to include in the risk assessment, how to conduct an assessment, and what to do with the results. Once the Risk Assessment is completed, learn how to interpret the results, and plan your next steps.

You will leave this presentation understanding how to keep the trust of you patients after all they come to you because they trust you. You will understand how the SRA is the cornerstone of becoming and maintaining HIPAA compliance. Finally you will understand how your efforts at HIPAA compliance can enhance your revenue cycle, increase your referrals, and preserve the trust of your patients.

Areas Covered in the Session:
  • What is an Security Risk Assessment ("SRA")
  • What are the consequences of not conducting an appropriate SRA
  • What are patient sentiments towards Privacy and Security
  • What is the terminology of an SRA
  • What are the required components of the SRA
  • What constitutes an adequate risk assessment
  • What is meant by a "Required" and "Addressable" implementation specification
  • What is an OCR Resolution Agreement and why should I care
  • What are my training requirements
  • What is a Breach vs. a Reportable Breach
  • What is a Business Associate and what are my responsibilities
  • What is an OCR audit , what will they ask for
  • What is an OCR investigation, what will they ask for
  • What is Willful Neglect and what does it mean to me

Who Will Benefit:
  • CEO
  • COO
  • CFO
  • Human Resources
  • Chief Nursing Officer
  • Chief Clinical Officer
  • Practice Managers

Roger Shindell has more than 30 years of multidisipline experience in the areas of health care, elearning, marketing, finance, operations and information technology. Roger has worked in start-up, rapid growth and turnaround environments. Over his career, Roger has been both an advisor to and principal in a number of health care, technology and service companies. 

Roger Steven
contact no: 800-385-1607
fax no: 302-288-6884
Event Link:


Create your own event
Turn your passion into a business.
Join our mailing list