The end of the year is approaching and here at Healthcare Compliance Pros, we are ready for the holidays! However, with the end of the year comes the deadline to complete a Security Risk Analysis (SRA) for 2019 as well. We're here to remind you not to get too swept up with the holly jolly spirit that you fail to complete your SRA this year! In order to ensure one of our compliance specialists can review your SRA this year, please complete and submit your SRA as soon as possible, no later than December 15th!!
What is an SRA and why should it be a part of your compliance program? The HIPAA Security Rule requires organizations to "implement policies and procedures to prevent, detect, contain, and correct security violations" (45 C.F.R. 164.308(a)) to protect patient health information (PHI). Risk analysis is a required implementation specification of the Security Management Process standard. Basically, analysis of the risk of a covered entity's security management processes is required under HIPAA regulations and is an ongoing responsibility. Since organizations are required to periodically review their security management processes to ensure compliance with the addressable and required elements of HIPAA, completing a Security Risk Analysis (SRA) annually is critical for HIPAA compliance. Completing an SRA is a Quality Payment Program (e.g. MIPS) requirement as well. It must be completed on an annual basis to ensure an organization receives credit for the required measure.
The purpose of an SRA is to identify protected health information (PHI) in all forms (physical and electronic) and assess any threats or vulnerabilities to that PHI. While there's not a HIPAA required format for an SRA, several components should be included such as:
- Physical, administrative, and technical safeguards
- Identifying potential threats and vulnerabilities
- Assessing current security measures (policies and procedures)
- Assessing potential threats, the likelihood of threats happening, and their potential impacts
- Assessing and prioritizing the level of determining risks (threats and vulnerabilities)
- Creating an action plan
Many payors may have a required format or component list so be sure to check specific payor contracts and requirements.
Not only does completing an SRA maintain your compliance with the HIPAA Security Rule Risk Analysis requirement, it also helps strengthen your entire compliance program. An effective SRA gives you a more accurate picture of your organization's overall compliance with legal requirements. Identifying areas where you are the most vulnerable and adjusting policies and procedures accordingly in order to address those risks shows your compliance standing on an annual timeline. Any improvements you make to your security management processes are quantifiable year by year and each SRA demonstrates the progress made annually toward becoming more compliant in each area as you work on action plan items over time.
A few best practices when it comes to the SRA process:
- Complete an SRA each year. Seeing your progress can motivate you to keep making improvements and changes as needed.
- Keep each year's SRA on file for the required 6 years. This is not only the required retention schedule for your SRA documentation, but it also allows you to look back at previous SRAs while completing your SRA for the current year. This allows you to compare your processes and note any changes you have made.
- Make sure to complete your SRA for the correct time period. If an SRA is a required part of your contracts with payors, it will need to reference your compliance standing during that same time period. If attesting for 2019, your SRA should also reflect your 2019 processes and procedures, etc.
We know completing an SRA each year can seem like a daunting task, but Healthcare Compliance Pros is here to help. Our Comprehensive Security Risk Analysis Program provides you with an online Security Risk Analysis to assess risk levels and provide remedies for potential threats. Once you have completed your SRA and submitted it to HCP, one of our Compliance Specialists will complete a comprehensive review of your SRA, discuss our findings with you during an SRA review meeting, and help create an annual action plan tailored to the areas in which we find your organization most vulnerable. If you would like to add our Comprehensive Security Risk Analysis Program as a resource for your compliance program or have any questions regarding SRAs please email firstname.lastname@example.org or call us at 1-855-427-0427.