We are occasionally asked questions about the security risk analysis (SRA) process. Why can't we use a checklist we found on the internet? Why do we need an action plan? Shouldn't any areas that need improvement be addressed immediately? Is performing and conducting an SRA a once and done process?
To answer these questions, we created the following list of security risk analysis best practices:
- Avoid using "checklist" options when performing your initial and subsequent SRA submissions. When preparing to perform an SRA you may discover there are several "checklist" options available on the internet. While these checklists can be useful tools for starting a risk analysis, they do not fulfill the requirements for performing a systematic security risk analysis or documenting that one has been performed.
- Conduct an initial SRA and identify any areas that are lacking or could use improvement. Your initial SRA should require the most work upfront. The SRA encompasses all potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits.
- Once these areas are identified, create an action plan to address these areas prior to your next SRA submission. Your action plan should address how and when areas that are lacking or could use improvement will be addressed. For example, during the SRA you determine your password policy is lacking it doesn't require unique IDs and strong passwords, and users are not required to changes their passwords. During the next 90 days and prior to your next SRA submission, you will create a policy that requires unique IDs and strong passwords that users will be required to change every six months.
- Even if you have installed and implemented a certified EHR, you must perform a full security risk analysis to fulfill HIPAA Security rule requirements. Many professionals and organizations believe EHR vendors already address privacy and security issues. While it's true EHR vendors offer some information about security, it is actually a requirement for all covered entities and business associates to conduct a risk analysis.
- Perform subsequent SRA submissions at a minimum on an annual basis thereafter this means conducting an SRA is not a one and done process. Under the HIPAA Security Rule, if your organization handles protected health information, you must regularly review the administrative, physical and technical safeguards you have in place to protect the security of the information. Previously in both Stage 1 and Stage 2 of Meaningful Use and now as part of the Advancing Care Information category of the Merit-Based Incentive Payment System (MIPS), groups are required to: conduct a SRA when certified EHR technology is adopted in the first reporting year; complete the SRA process in subsequent reporting years, and also perform the SRA when changes or updates occur.
Don't wait until the last minute!
Each year, we receive several SRAs at the end of the year. Because we receive so many at the end of the year, it is difficult to ensure each report is marked complete prior to the new year. To prevent any delays or having your SRA show a completion date for the following year, we highly recommend getting your SRA done early. This will allow sufficient time for your SRA to be reviewed and marked complete for the year.
If you would like more information about the SRA process please feel free to send us an email at[email protected]or reach us by phone toll-free at 855-427-0427.