Security Risk Analysis Requirements

Have you completed your Security Risk Analysis (SRA) for Calendar Year 2020? That is a common question we ask our customers and occasionally the answer is: do we have to conduct an SRA every year?

The Department of Health and Human Services, in their final guidance on risk analysis stated:

“The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).) The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. The frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment.”

Yet, the industry recommendation is to conduct Security Risk Analysis on a yearly basis as this will be the best way to meet HIPAA requirements and catch any potential breaches and or changes that may have been missed.

Note: It is also recommended that Security Risk Analysis be conducted by a separate third party.

However, while researching the Centers for Medicare & Medicaid Services (CMS) for guidance for the year 2020 we found the following information:

CMS Security Risk Analysis Fact Sheet

“Eligible hospitals and CAHs must conduct or review a security risk analysis of CEHRT including addressing encryption/security of data, and implement updates as necessary at least once each calendar year and attest to conducting the analysis or review.”

CMS Quality Payment Program: Merit-Based Incentive Payment System (MIPS) Promoting Interoperability Performance Category Measure 2020 Performance Period

“In order to earn a score greater than zero for the Promoting Interoperability performance category, MIPS eligible clinicians must have completed the Security Risk Analysis measure during the calendar year in which the MIPS performance period occurs.

There you have it, CMS requires that Security Risk Analysis be conducted once per year. So, consider the SRA’s a cost of doing business and ensure that the same are completed by a reputable third party.