The HIPAA Security Rule requires organizations subject to HIPAA to conduct a Security Risk Analysis (SRA) to identify, address and mitigate risks to protected health information (PHI). The Office of the National Coordinator (ONC) published a list of ten common myths related to the SRA process. We’ve expanded on the ONC’s prior list, providing additional guidance from our experience working with numerous healthcare data experts across the United States. As many organizations seek to understand the SRA process, they may want to keep the following tips in mind.
“The Security Risk Analysis is optional for small practices”
Myth! All organizations subject to HIPAA (both covered entities and business associates) are required to perform a Security Risk Analysis in accordance with the HIPAA Security Rule. There is no exemption for small practices.
“Installing a certified EHR fulfills the Security Risk Analysis MU or MIPS requirement”
Myth! Even with a certified Electronic Health Record (EHR) platform, you must perform a full Security Risk Analysis to meet HIPAA, Meaningful Use (MU), and Merit-Based Incentive Payment Systems (MIPS) requirements. Security requirements address all protected health information you maintain, not just what is in your EHR.
“My EHR vendor took care of everything I need to do about privacy and security”
Myth! Your EHR vendor may be able to provide information, assistance and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules for you. It is solely your responsibility to have a complete Security Risk Analysis conducted.
“I have to outsource the Security Risk Analysis”
Myth! It is possible for small organizations to do Security Risk Analysis themselves using self-help tools. However, doing a thorough and professional Security Risk Analysis that will stand up to a compliance review or Office of Civil Rights (OCR) audit will require expert knowledge which can be obtained through services of an experienced outside professional. Interested in assistance? ScanSTAT can help!
“A checklist will suffice for the Security Risk Analysis requirement”
Myth! Checklists can be useful tools, especially when starting a Security Risk Analysis, but they fall short of performing a systematic Security Risk Analysis or documenting that one has been performed.
“There is a specific Security Risk Analysis method that I must follow”
Myth! A Security Risk Analysis can be performed in countless ways, as long as it meets the regulatory requirements of a SRA. Health and Human Services (HHS) has issued Guidance on Security Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure PHI.
“My Security Risk Analysis only needs to look at my EHR”
Myth! Review all electronic devices that store, capture or modify electronic protected health information, and also consider any paper PHI. The SRA process is not just limited to electronic sources of PHI but should include physical PHI as well. Include your EHR hardware and software and devices that can access your EHR data (i.e., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data!
“I only need to do a Security Risk Analysis once”
Myth! To comply with HIPAA, you must continue to review, correct or modify, and update security protections. If participating in Meaningful Use or MIPS, a SRA must be conducted for each reporting period.
“I must fully mitigate all risks identified right now”
Myth! Organizations should address all risks identified as part of a Work Plan and work to correct them over time as reasonable and appropriate within the confines of the regulations.
“Each year, I’ll have to completely redo my Security Risk Analysis”
Myth! Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. This does not need to mean your organization needs to start from scratch; however, it is advised that organizations should still conduct a thorough review. Under the Meaningful Use and MIPS programs, reviews are required for each reporting period.
Need Assistance with a Security Risk Analysis?
ScanSTAT can help! We know the Security Risk Analysis process can take a significant amount of time and resources to conduct it in house. Our Security Risk Analysis service differs from others on the market because a team of experienced and dedicated experts will complete your SRA for you!
After completion and review of an organizational profile to learn more about your organization, the SRA team conducts an informational phone interview with you to gather the information they need to document the responses required for your SRA documentation. This interview process leaves the “heavy lifting” to our team, alleviating your staff time and responsibility. The result is quality and in-depth documentation backed by years of experience.
As part of the process, the ScanSTAT SRA team addresses administrative, physical and technical safeguards, ultimately outlining opportunities for improvement and associated risk levels. Through a secondary review call, our team provides suggestions for addressing any identified deficiencies. Additionally, as the Security Risk Analysis often relies on what is documented as part of an organization’s policies and procedures, the ScanSTAT team produces 18 semi-customized policies for your organization.
Save staff time and be confident in the quality of your SRA. Contact us today to learn more and receive a custom quote!