There have been some discussions as it regards the HIPAA Security Risks Assessments (SRA) and the requirement to perform one. Some rumors claim that SRA’s are no longer required as they were part of Meaningful Use and this program has been terminated. Other rumors claim that SRAs are only for Medicare Providers and that the same do not apply to those that do not treat the Medicare population. Our intent with this article is to get the record straight.
Conducting a HIPAA Security RIsk Assessments (SRA) is a legal requirement that is not going anywhere. There have been some changes to the laws that refer to the SRAs and we will be naïve not to think that additional changes may happen. However, none of the changes have even consider the possibility of eliminating this requirement.
From the standpoint of costs alone it will be foolish not to conduct a SRA at least annually as the fines for failing to conduct a HIPAA Security Risk Assessment (SRA) could reach up to $50,000 per day. Even worst, we have noticed a trend where the average settlement for HIPAA violations seems to gravitate around $1 million dollars. As it relates to the fines, no one is safe as we have seen religious, government, not for profit and private been held accountable and paying these types of fines.
From another angle, MACRA (Medicare Access and CHIP Reauthorization Act), which is the new Medicare payment system, requires SRAs be conducted as part of the Advancing Care Information section. The guidance is very specific and has indicated that failing to perform a HIPAA Security Risk Assessment (SRA) will result in a score of 0 on the Advancing Care Information section. This means a loss of 25% of the point used to calculate your reimbursement level.
Something else to keep in mind, which has been a topic for debate, is the timing for the SRAs. The guidance from the Federal Government indicates that Providers must: “must conduct or review a Security RIsk Assessments for each EHR reporting period”. While many Covered Entities waited till the end of the year to conduct their HIPAA Security Risk Assessment we recommend changing this protocol to as early in the year as possible. The reasons for this are simple:
MACRA gives you the ability to report your measures for any 90-day consecutive period. If you wait until December you will be bound to report your measures for the last quarter of the year or miss your numbers altogether. Considering that the SRA should be your first step in the category of Advancing Care Information, then you shouldn’t report your measures until the next calendar year.
From the standpoint of the meaning of the law, a Security Risk Assessment (SRA) should be conducted at the beginning of the year as a means to establish a baseline and decide upon a plan of action to implement for the rest of the year.
Last but not least, HIPAA Security Risk Assessments (SRA) have become the cornerstone of every Government audit and inspection. Worst of all, each agency we worked with emphasizes a different area of the SRA, which means that these SRAs, at the very least, must be able to address these areas to the satisfaction of the auditing agency. Another point to consider, most of these audits are desk audits so they are cheap and easy to conduct which makes it for an increase of the same regardless of your location.
In summary, conduct your SRA as soon as possible and do not cut yourself short by doing it yourself or with the cheapest source as this will not end well.