Chances are you have seen headlines about patient data breaches, patient complaints, and resulting audit findings at various healthcare organizations, some maybe even involving your personal health information. You may also have noticed a recurring theme about the importance of having a robust risk management process in place which, of course, starts with a HIPAA security risk analysis (SRA).
Why?
Both HIPAA and CMS quality reporting programs consider an SRA to be a key component of any solid internal security policy. With a SRA, you are seeking to uncover risks to protected health information (PHI) and then working toward putting policies and procedures in place to reduce them.
- As a patient, wouldn’t you like to know that your doctor is doing everything they can to protect the privacy and security of your health information?
What is an SRA?
Some things an SRA is not:
- It is not optional for small providers.
- It is not a checklist.
- It is not a “one and done” effort.
- It is not a task your certified EHR completes on your behalf.
Instead, a SRA will guide you through an assessment of your practice’s current compliance with the administrative, physical, and technical safeguards identified in the HIPAA Security Rule. That assessment process generally takes the form of a set of questions that will help you identify potential risks to the confidentiality, availability, and integrity of the electronic PHI in your practice.
- Remember: Finding risks is not bad. Not acting on the risks that you identify is bad. In fact, not finding risks is a good indication that the effort expended on the process was poor. In short, every practice should find things that can be improved.
What comes next?
The end result of a comprehensive SRA is a ranked list of potential risks with plans and goal dates for mitigation. You can think of these results as a ‘To Do’ list with regard to the security of your patients’ electronic PHI. Documentation to support your practice’s ongoing compliance will include:
- Ongoing risk mitigation efforts.
- Updating policies and procedures.
- Training specific to your practice.
- Maintaining business associate agreements.
- Reviewing your security risk analysis.
Why is documentation so important?
Documentation helps you tailor your HIPAA training to your practice’s specific needs and prepares you to respond to potential breaches, patient complaints, or an audit. In fact, one of the first things you will be asked to provide during an audit is your SRA. Results of OCR audits conducted over the last few years indicated:
- 94% of audited organizations lacked a security risk management plan.
- 83% of organizations had not performed a risk analysis.
How does the COVID-19 pandemic affect all of this?
First and foremost, HIPAA still applies. For detailed guidance, we encourage you to visit HHS Office for Civil Rights (OCR) website. We have highlighted a few areas to pay close attention to here:
- Sharing PHI.
- TeleHealth and HIPAA.
- Cyberattacks and New Security Risks.
Undoubtedly, you had to make some changes to your everyday workflows (and fast) to respond to COVID-19. Maybe you are now realizing the incident response plan you previously had in place did not fully address your current situation. This is completely understandable. It is also a great reason to take advantage of this opportunity to complete and document a post-incident review. Documentation should include:
- Changes in staffing.
- Adjustments to user access roles.
- Remote access (who and where?).
- Equipment changes.
- Implementation of new applications.
Security Risk Assessment Tool
The Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (hereafter ASTP) provides a free, downloadable tool at their website to help guide you through the process.