Conducting and reviewing a security
risk analysis (SRA) is perhaps one of the most important requirements your
organization will undertake. An SRA should be thought of as an ongoing process for your organization to be continually
improved upon to ensure the privacy and
security of your patients' protected health information (PHI). An SRA should never be considered a one-and-done
process.
An SRA is
needed for all entities that maintain PHI, not just those who participate in quality payment programs (i.e.,
MIPS, Meaningful Use, etc.).
Under the HIPAA Security Rule, the
Security Management Process standard requires organizations to "implement
policies and procedures to prevent, detect, contain, and correct security
violations." One of the required Security Management Process implementation
specifications, specifically state covered entities and business associates must:
"Conduct an accurate and thorough assessment of the potential risk
and vulnerabilities to the confidentiality, integrity, and availability of
electronically protected health information (ePHI) held by the organization."
Healthcare organizations are required to:
- Conduct an initial SRA when certified electronic health record (EHR) technology is implemented.
- Perform an initial assessment, or review and update an existing assessment during policies and procedures implementation. This way you can demonstrate your policies and procedures considered potential risks or threats and had a plan in place to address deficiencies.
- Subsequent SRA reviews and updates should occur at least annually if there are any changes to your EHR technology (e.g., a change to cloud-based instead of server-based) or policies and procedures that impact how ePHI is handled in your organization.
5 Best practices for performing an SRA
1.
Avoid using
"checklist" options when performing your initial and subsequent SRA
submissions.
When preparing to perform an SRA you may discover there are several "checklist" options available on the internet. While these checklists can be useful tools for starting a risk analysis, they do not fulfill the requirements for performing a systematic SRA or documenting that one has been performed.
2. Conduct an initial SRA and identify any areas that are lacking or could use improvement.
Your initial SRA should require the most work upfront. The SRA encompasses all potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits.
3. Once these areas are identified, create an action plan to address these areas prior to your next SRA submission.
Your action plan should address how and when areas that are lacking or could use improvement will be addressed. For example, during the SRA if you determine that your password policy is lacking since it doesn't require unique IDs and strong passwords. Your action plan to address this could include that, during the next 90 days and prior to your next SRA submission, you will create a policy that requires unique IDs and strong passwords, as well as determining specific password requirements (at least 8 characters, multi-case, not easy to guess, etc.).
4. Even if you have installed and implemented a certified EHR, you must perform a full security risk analysis to fulfill quality payment program requirements.
Many professionals and organizations believe EHR vendors already address privacy and security issues. Additionally, in 2019 several MIPS program participants believe an SRA is not required. While it's true EHR vendors offer some information about security, it is actually a requirement for all covered entities and business associates to conduct a risk analysis. Even though an SRA is not scored for MIPS in 2019, it is still required under the Promoting Interoperability category.
5. Perform subsequent SRA reviews and updates at least on an annual basis thereafter - this means conducting an SRA is not a one and done process.
Failing to perform an SRA or have documentation demonstrating a HIPAA compliant assessment was performed continues to be a deficiency OCR is focused on. Healthcare organizations can protect themselves making sure their initial SRA is at least reviewed and/or updated, on an annual basis (or more frequently, if necessary).
Need to Perform an SRA?
Healthcare Compliance Pros can help
you fulfill your requirements! Our SRA
tool is designed to help identify areas
that should be addressed, corrected and where policies and procedures may be
missing. Once submitted, your SRA will receive a comprehensive review and
custom action plan provided by one of our HIPAA professionals. We like to think
of our SRA as living and breathing documentation of all the information that
you entered previously, so you won't need to complete the entire SRA from
scratch each year. Instead, you fill out
what was addressed or corrected. This also allows you to show ongoing compliance
efforts your organization has made as each SRA report that is marked complete
is archived and accessible as needed.
Need additional assistance? We can
come on site and perform an SRA, a HIPAA Walkthrough, and other assessments.
Contact us for details and pricing: support@hcp.md or by phone: 855-427-0427