MACRA and HIPAA Security Risk Assessment

IT and MUA couple of days ago, I had a couple of team members ask me about MACRA and the HIPAA Security Risk Assessment. The conversation started with a question that was presented by one of our clients; “if I only see insurance and self-pay clients, do I have to conduct a HIPAA Security Risk Assessment?” The answer is simple but the ramifications may not necessarily be. The answer is yes you do have to conduct a HIPAA SRA. HIPAA is a federal law and one of the better-known compliance requirements is the completion of a SRA. The law doesn’t require annual SRA’s but there are other agencies that require that an annual SRA be completed and documented by Covered Entities (CE) and Business Associates (BA). In addition to the requirements of those Agencies, Covered Entities attesting to Meaningful Use are required to complete a SRA for the year they are attesting to prior to completing their annual attestations. Regretfully many covered entities overlook this detail unbeknownst to them that in addition to their failure to comply with the HIPAA law they are also committing fraud and breaking several laws by this act alone. As it relates to MACRA, the HIPAA SRA is one of the key reporting measure under the “Advancing Care Informatics/Innovation” section.  This particular section counts for 25% of the healthcare professional overall score under this new payment system and failing to conduct a Security Risk Assessment nullifies any potential points healthcare providers may qualify for under this area. Of course, in case you missed it, a HIPAA SRA is one of the key components of the Electronic Health Record (EHR) incentive program. In other words, fail to conduct a SRA and you pretty much give up your rights to any potential monies under the EHR incentive/meaningful use program, increase your liability and fines in case of a breach or an audit and reduce your ability to obtain 100% of your Medicare reimbursement in the future. Based on the above my recommendation is simple; make sure you do and documents a HIPAA Security Risk Assessment before the end of the year