Conducting
and reviewing a security risk analysis (SRA) is perhaps one of the most
important HIPAA requirements and Meaningful Use requirements your
organization will undertake. An SRA is an ongoing process of continual
improvements your organization should address to ensure the privacy and
security of your patients' protected health information - not just a
one-and-done process.
Occasionally,
organizations believe that once an SRA has been performed for the year that
they are out of the woods. The problem with that belief is that an SRA should
include a corrective action plan to correct identified security deficiencies
identified during the SRA process. The following sections will discuss the
importance of performing a SRA for Stage 1 and Stage 2 Meaningful Use, when the
SRA should be performed, why a corrective action should be part of your
organization's risk management process, and the importance of a SRA in the
event of an audit.
A Stage 1 and Stage 2 Requirement
Did you know
that a security risk analysis needs to be conducted or reviewed during each
reporting period for Stage 1 and Stage 2 Meaningful Use?
This
means all Meaningful Use participants regardless of which Stage you are
in must conduct or review a SRA during each
reporting period. Organizations are required to conduct an SRA when
certified EHR technology is adopted in the first reporting year; then, conduct
or review their SRA during each reporting period:
In Stage 1
Meaningful Use, Core Measure 13's objective states:
Protect
electronic health information created or maintained by the certified EHR
technology through the implementation of appropriate technical capabilities.
The Measure for
this objective:
Conduct
or review a security risk analysis in accordance with the requirements under 45
CFR 164.308(a)(1) and implement security updates as necessary and correct
identified security deficiencies as part of its risk management process.
There is no
exclusion available for this requirement.
The objective
for Stage 2 is similar:
Protect
electronic health information created or maintained by the certified EHR
technology (CEHRT) through the implementation of appropriate technical
capabilities.
However, the
measure for Stage 2 includes additional requirements:
Conduct
or review a security risk analysis in accordance with the requirements under 45
CFR 164.308(a) (1), including addressing the encryption/security of data stored
in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45
CFR164.306(d)(3), and implement security updates as necessary and correct
identified security deficiencies as part of the provider's risk management
process for EPs.
Like Stage 1,
there is no exclusion available.
Corrective Action Plan
"Correct
identified security deficiencies as part of the provider's risk management
process" is an important part of the SRA process that is often
overlooked. As part of the risk analysis, any areas that are lacking or
could use improvement that were identified should be addressed, corrected, and
any missing policies and procedures should be implemented.
For example, during your SRA you determine your organization does not have a
documented disaster recovery plan (DRP). A missing or incomplete DRP
should be a high priority focus that is addressed in your action plan.
Remember, your SRA identifies deficiencies; high priority deficiencies should
be addressed and corrected as part of your corrective action plan prior to your
subsequent SRA submission. Your corrective action plan is not only
beneficial for SRA purposes - it is important documentation to have in the
event your organization is investigated by Office of Civil Rights (OCR) because of a breach.
In the event of an audit
Did you know a
lack of documentation demonstrating an SRA was conducted during the Meaningful
Use Reporting Period is one of the leading causes of failed audits? As part of
the audit process, you will be asked for your SRA that was completed for the
specified reporting period. A missing SRA or an SRA that is incomplete
may result in penalties or worse, no incentive payment for that attestation
year.
Conclusion
Conducting and
reviewing a security risk analysis (SRA) is one of the most important HIPAA
requirements and Meaningful Use requirements your organization will undertake.
A lack of documentation demonstrating a SRA was conducted during the Meaningful
Use Reporting Period is one of the leading causes of failed audits. Your
corrective action plan should ensure any deficiencies identified during the SRA
process and remedied prior to your next reporting period.
If you have any questions, or would like additional information
about performing a SRA, please feel free to send us an email at support@healthcarecompliancepros.com or reach us by phone toll-free at
855-427-0427.
Chad
Schiffman is the Director of Research & Development with Healthcare
Compliance Pros. Chad's background includes over 15 years combined experience
in Healthcare, Information Technology and Customer Service. Chad holds degrees
in the areas of Medical Specialties and Healthcare Administration, and a
master's degree in Healthcare Informatics.