Answer the three questions below to assess your knowledge about HIPAA Security Risk Analysis. The answers to the questions are listed in three short paragraphs following the true or false assessment.
- True or False: My EHR vendor already addresses privacy and security for our organization. Since we primarily use our EHR to create, transmit and store protected health information, conducting an additional HIPAA Security Risk Analysis is optional.
- True or False: Our organization can complete a HIPAA Security Risk Analysis once, by using checklists that satisfy risk analysis requirements.
- True or False: It's a best practice to start each risk analysis from scratch whenever there are changes, to ensure our organization is up-to-date with current information.
If you answered false for each question above, you are exactly right.
Many professionals and organizations believe EHR vendors already address privacy and security issues. While it's true EHR vendors offer some information about security, it is actually a requirement for all covered entities to conduct a risk analysis. Under the HIPAA Security Rule, covered entities are required to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity." Further, a security risk analysis is also a meaningful use requirement. Even if you have installed and implemented a certified EHR, you must perform a full security risk analysis to fulfil meaningful use requirements.
A HIPAA Security Risk Analysis should be conducted, at minimum, on an annual basis. To comply with HIPAA, organizations must continue to review, correct or modify, and update security protections. While checklists are helpful for organizations, they are lacking in meeting the requirements for a systematic risk analysis or documenting the risk analysis has been performed.
It's a best practice to perform a full security risk analysis when you implement an EHR. Then, each year or when changes to your organization or electronic systems occur, review and update the prior analysis for changes in risks.
We are hosting a HIPAA website overview and compliance training on February 9 at 1:00PM EST. Sign up here today!
If you have any additional questions about HIPAA Security Risk Analysis, or if you would like assistance completing or reviewing your security risk analysis, please do not hesitate to contact one of our professional consultants.