HIPAA Security Risk Assessments Myths

Undertanding SRAIn the last couple of years we had the opportunity to represent several clients as it relates to Meaningful Use HITECH audits. Overall our findings during these engagements represent a series of misunderstandings from the Covered Entities’ and Business Associate’s responsibilities as well as the requirements of the law.  These issues have resulted in an intensive forensic audit from our part and at times simply a realization for our clients that failure to understand the law is not an excuse for not complying. In the spirit of helping our clients with some of the key concepts we found the table below which CMS created in March 2016 and that we found ideal  as a tool to clarify some of the basic concepts.

Myth Fact
The security risk analysis is optional for small providers.

False. All providers who conduct certain electronic transactions, such as billing, are “covered entities” under HIPAA and are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.
Simply installing a certified EHR fulfills the security risk analysis MU requirement. False. Even with a certified EHR, you must perform a full security risk analysis.Security requirements address all electronic protected health informationyou maintain, not just what is in your EHR.
My EHR vendor took care of everything I need to do about privacy and security.

False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.
I have to outsource the security risk analysis.

False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.
A checklist will suffice for the risk analysis requirement. False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.

Source: https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/2016_SecurityRiskAnalysis.pdf