First Step Towards HIPAA Compliance: The Security Risk Assessment
HIPAA compliance is crucial to the security of your practice and safety of your patients. One of Abyde’s directors of education, Amber Holden, recently hosted a webinar discussing the first crucial step towards HIPAA compliance, the Security Risk Analysis.
As DrChrono’s preferred HIPAA compliance partner, Abyde provided robust insight into conducting the necessary assessments for your practice. Learn some of the highlights from the edited transcript below, or check out the full webinar here.
What is the HIPAA Security Risk Analysis?
This step falls into the Security Rule portion of HIPAA compliance, as opposed to the Privacy Rule. The SRA is a requirement for all covered entities under the HIPAA security rule. Holden explains that the SRA is “a self evaluation of your practice to identify potential risks and vulnerabilities to your protected health information.”
This evaluation will examine the administrative, physical and technical safeguards that have been put in place at your practice. While it is easy to evaluate and understand which safeguards you have in place, you also need to be able to acknowledge where your practice is lacking.
These are the most essential areas to address, yet it can be difficult for small to medium sized practices to act as their own HIPAA compliance experts on top of managing their offices and delivering high quality patient care. Despite this, the analysis is required at minimum once per year.
Why is the SRA Important?
First and foremost, the SRA is mandatory. Practices must complete it once per year, and if your practice is audited, that will be the first thing the auditor requests. They likely do not have time to see your office in action day-to-day, so a thorough SRA is a must-have. The Security Risk Analysis also works to protect PHI which should be a high priority for medical practitioners.
Despite this, 85% of audited organizations either did not have an SRA, or their SRA was insufficient.
“The widespread lack of completing this requirement has been the cause of many failed audits and has resulted in over $65 million being returned to the government,” says Holden. If incompletion of this process can be so costly for practices, why is it so common?
SRA Misconceptions
One of the most common misconceptions about SRAs is that they only have to be completed one time when they are actually more of an ongoing process, as stated in the HIPAA compliance security rule.
“A covered entity should regularly review its records to track access to PHI, detect security incidents, periodically evaluate the effectiveness of their security measures, and regularly reevaluate potential risks to PHI,” Holden explains.
Another frequently cited misunderstanding is that a practice’s EHR platform will basically handle these security measures. However, your electronic health record system is not conducting security risk analysis for you, but they will help you use the platform as effectively as possible.
They are not responsible for these privacy and security measures for your practice. Moreover, they are likely not the sole location of all PHI at your office. That can also include paper records, files and charts. Similar to the EHR vendor, your IT provider is not responsible for your SRA. They can, however, help assess and implement technical safeguards.
Finally, many smaller practices either assume they do not have to complete the SRA, or that they only need to fill out a basic checklist. Every covered entity must perform a Security Risk Analysis, full stop, and while some check lists are available, they likely do not cover the full breadth of areas required in a thorough audit.
What Does an SRA Need to Include?
“Ultimately your SRA should identify where PHI is stored and how it’s received or transmitted for the full scope of your practice,” says Holden.
This means you must account for all areas of your electronic medical record system from patient records to billing systems. You also must assess current safeguards in place to protect PHI.
After you have identified those measures, it is time to figure out which of these safeguards are being used effectively. You must also assess the potential damage caused in the event of a breach, assigning the proper risk levels for these vulnerabilities and potential impacts. Then, identify and document potential threats, and put a plan in place to address these risks whenever necessary.
Options to Complete an SRA
Practices have three main methods of getting their SRA completed, the most obvious being to complete it themselves. This is doable, but for many practices, it is not entirely practical due to the high degree of HIPAA expertise required.
While the government provides tools to help practices complete these assessments, they are often broadly focused, so they may not provide all of the necessary steps and information that would be relevant to your practice.
Finally, practice’s can outsource the project to a third party service provider. Because practitioners and office staff often do not have the bandwidth to master the intricacies of HIPAA compliance, this is a useful option to have. Although these will often be fairly expensive and time consuming, it may be worth the cost for their expertise.
HIPAA compliance is difficult to achieve perfectly for many practices, especially those without large support staff. However, it is crucial to the security and privacy of patients and providers. For more in depth information about the Security Risk Analysis step in this process, you can view the complete webinar here.