The end of the
year is approaching and here at Healthcare Compliance Pros, we are ready for the
holidays! However, with the end of the year comes the deadline to complete a
Security Risk Analysis (SRA) for 2019 as well. We're here to remind you not to get too swept up with the holly jolly
spirit that you fail to complete your SRA this year! In order to ensure one of
our compliance specialists can review your SRA this year, please complete and
submit your SRA as soon as possible, no later than December 15th!!
What is an SRA and why should it be a part of your compliance program? The HIPAA Security Rule requires organizations to "implement policies and procedures to prevent, detect, contain, and correct security violations" (45 C.F.R. 164.308(a)) to protect patient health information (PHI). Risk analysis is a required implementation specification of the Security Management Process standard. Basically, analysis of the risk of a covered entity's security management processes is required under HIPAA regulations and is an ongoing responsibility. Since organizations are required to periodically review their security management processes to ensure compliance with the addressable and required elements of HIPAA, completing a Security Risk Analysis (SRA) annually is critical for HIPAA compliance. Completing an SRA is a Quality Payment Program (e.g. MIPS) requirement as well. It must be completed on an annual basis to ensure an organization receives credit for the required measure.
The purpose of an SRA is to identify protected health information (PHI) in all forms (physical and electronic) and assess any threats or vulnerabilities to that PHI. While there's not a HIPAA required format for an SRA, several components should be included such as:
- Physical, administrative, and
- Identifying potential threats and
- Assessing current security measures
(policies and procedures)
- Assessing potential threats, the
likelihood of threats happening, and their potential impacts
- Assessing and prioritizing the level
of determining risks (threats and vulnerabilities)
- Creating an action plan
Many payors may
have a required format or component list so be sure to check specific payor
contracts and requirements.
Not only does completing an SRA maintain your compliance with the HIPAA Security Rule Risk Analysis requirement, it also helps strengthen your entire compliance program. An effective SRA gives you a more accurate picture of your organization's overall compliance with legal requirements. Identifying areas where you are the most vulnerable and adjusting policies and procedures accordingly in order to address those risks shows your compliance standing on an annual timeline. Any improvements you make to your security management processes are quantifiable year by year and each SRA demonstrates the progress made annually toward becoming more compliant in each area as you work on action plan items over time.
A few best practices when it comes to the SRA process:
- Complete an SRA each year. Seeing
your progress can motivate you to keep making improvements and changes as
- Keep each year's SRA on file for the
required 6 years. This is not only the required retention schedule for
your SRA documentation, but it also allows you to look back at previous
SRAs while completing your SRA for the current year. This allows you to
compare your processes and note any changes you have made.
- Make sure to complete your SRA for
the correct time period. If an SRA is a required part of your contracts
with payors, it will need to reference your compliance standing during
that same time period. If attesting for 2019, your SRA should also reflect
your 2019 processes and procedures, etc.
We know completing an SRA each year can seem like a daunting task, but Healthcare Compliance Pros is here to help. Our Comprehensive Security Risk Analysis Program provides you with an online Security Risk Analysis to assess risk levels and provide remedies for potential threats. Once you have completed your SRA and submitted it to HCP, one of our Compliance Specialists will complete a comprehensive review of your SRA, discuss our findings with you during an SRA review meeting, and help create an annual action plan tailored to the areas in which we find your organization most vulnerable. If you would like to add our Comprehensive Security Risk Analysis Program as a resource for your compliance program or have any questions regarding SRAs please email email@example.com or call us at 1-855-427-0427.