Security Risk Analysis Season

Look at that…it’s that time of year again. Where the leaves change colors, hurricanes swing by several states and school starts back up signifying that we are rapidly approaching the end of 2019 calendar year. Oh, and looking at that list of old Meaningful Use Standards that have now been folded into MACRA/MIPS.

There is one that tends to catch practices of all sizes off guard: Conduct a HIPAA Security Risk Assessment (SRA). Not analysis. Assessment. Though the actual regulation does not state that it must be done by a third-party; it is highly implied through final rule and through the manner in which the investigations are done by the various alphabet agencies of the federal government.

OCR specifically has been rather prolific and proven capable at finding funds for the federal government by simply asking practices for their CURRENT year SRA. Please remember that checking that box and not having done the SRA means you have defrauded Medicare already; this also includes using HHS’ own self-assessment toolkit. The intent is not to alarm but inform.

A proper SRA looks at over 200 separate sections of the HIPAA Security Regulations, encompassing areas such as IT, physical safeguards, and administrative requirements. The problem is that there are many outfits in the healthcare industry that claim to be able to do an SRA, but only look at one section of the regulation to the detriment of the others; the one on the hook for the incomplete SRA is the Covered Entity that requested it, not the third party that was paid to complete the task.

In every settlement, the organization not only forfeits quite a bit of money, but also conduct a new SRA and show policies and procedures to show that the deficiencies will never happen again. The goal is for you and your practice does not have something like this happen to you.

The price for an in-depth can range from $3,000 to $50,000 depending on the size of the organization; while not a small amount of money, is it larger than the potential of $50,000 per incident up to a maximum of $1.5 million per infraction.

So, if you or your healthcare organization are looking to complete a HIPAA SRA before the end of the year, it would be highly recommended to contact the party that has done it the last several years of your practice. If for whatever reason, your organization does not have one, please feel free to contact us and we would be happy to help your organization get through this requirement as painlessly as possible.