Security risk analysis

Recipe
Written By Amy .

All providers who are “covered entities” under the Health Insurance Portability and Accountability Act (HIPAA) are required to perform a security risk analysis. A covered entity is a Healthcare Provider, Health Plan, or Healthcare Clearinghouse. If you are unsure if you are a covered entity, you can use the CMS Covered Entity Decision tool linked here.

What is a Security Risk Analysis?

A Security Risk Analysis (SRA) or Assessment is a thorough audit of your administrative, physical, and technical safeguards to identify vulnerabilities and risks to the integrity and sanctity of ePHI that an organization creates, receives, maintains, or transmits. (45 C.F.R. § 164.306(a).) This includes e-PHI in all forms of electronic media, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media. (HHS.gov)

The SRA is the first step in identifying and implementing safeguards that comply with the specifications of the Security Rule.

Steps in a SRA would include:

  • Data Collection

  • Identify and Document Potential Threats and Vulnerabilities

  • Assess current security measures

  • Determine the Likelihood of Threat Occurrence

  • Determine the Potential Impact of Threat Occurrence

  • Determine the Level of Risk

How do I perform a security risk analysis?

It is possible for small to medium practices to do risk analysis themselves using self-help tools. The Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched a HIPAA Security Risk Assessment (SRA) Tool. (HHS.gov)

However, doing a thorough and professional risk analysis that will stand up to a compliance review requires expert knowledge.

PM-OTG does not recommend trying to complete the SRA yourself. If you are a small practice in the DFW area, PM-OTG highly recommends Larry with Protect EHR. Larry is a Microsoft Certified Systems Administrator who specializes in Practice Workflow and Health Information Technology Redesign. You can view his services here.

Each year or when changes to your practice or electronic systems occur, you’ll need to review and update the prior analysis for changes in risks.

Now that you’ve learned all about the SRA, it’s time to implement what you’ve learned!

Feel free to contact PM-OTG (or Larry!) for assistance.

Review 10 MYTHS of Security Risk Analysis

Sources

Office for Civil Rights. (2021, June 28). Guidance on risk analysis. HHS.gov. Retrieved November 19, 2022, from https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html

Compliance consulting firm: Protect ehr, LLC. Protectehr, llc. (2019, February 20). Retrieved November 19, 2022, from https://protectehr.com/

Covered entity decision tool - centers for Medicare & Medicaid Services. (n.d.). Retrieved November 19, 2022, from https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/CoveredEntitiesChart20160617.pdf

Security Risk Assessment Tool. HealthIT.gov. (2022, October 28). Retrieved November 19, 2022, from https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

Amy .
Previous

Let’s talk credible sources