Conducting and reviewing a security risk analysis (SRA) is perhaps one of the most important HIPAA and Meaningful Use requirements your organization will undertake. A SRA is an ongoing process of continual improvements your organization should address to ensure the privacy and security of your patients' protected health information not just a one-and-done process.
HIPAA and Meaningful Use
A SRA is needed for all entities that maintain PHI, not just Meaningful Use participants. Under the HIPAA Security Rule, the Security Management Process standard requires organizations to "implement policies and procedures to prevent, detect, contain, and correct security violations." The Security Risk Analysis is one of the required implementation specifications, meaning your organization must:
"Conduct an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization."
In both Stage 1 and Stage 2 of Meaningful Use, this HIPAA requirement is reinforced. Groups are required to: conduct a SRA when certified EHR technology is adopted in the first reporting year; complete the SRA process in subsequent reporting years; and also perform the SRA when changes or updates occur. As part of the risk analysis, any areas that are lacking or could use improvement that were identified should be addressed, corrected, and any missing policies and procedures should be implemented.
Did you know Figliozzi & Company is performing meaningful use audits for CMS? The HITECH Act provides the Secretary, or any person or organization designated by the Secretary, the right to audit and inspect any books and records of any person or organization receiving an incentive payment. As part of the audit process you will be asked for your SRA that was completed for the specified reporting period. A missing SRA or a SRA that is incomplete may result in penalties or worse, no incentive payment for that attestation year.
How we can help
Healthcare Compliance Pros offers three options for conducting a SRA, identifying areas that should be addressed, corrected and where policies and procedures may be missing. Many of you already have our self-guided online SRA. However, our other options include a comprehensive review and custom action plan provided by one of our HIPAA professionals. Our SRA meets and exceeds HIPAA and meaningful use requirements for Stage 1, Stage 2, and beyond. If there are any updates that need to be included as part of the SRA process, we will take care of that for you to ensure you and your organization are in compliance with HIPAA and meaningful use requirements. Our SRA is a document that keeps track of all the information that you entered previously, so you won't need to complete the entire SRA from scratch each year. Instead, you fill out what was addressed or corrected.
If you would like more information about all of our SRA options, or if you have any compliance questions, please feel free to comment below or send us an email at [email protected] or reach us by phone toll-free at 855-427-0427.