Conducting and reviewing a security risk analysis (SRA) is perhaps one of the most important requirements your organization will undertake. An SRA should be thought of as an ongoing process for your organization to be continually improved upon to ensure the privacy and security of your patients' protected health information (PHI). An SRA should never be considered a one-and-done process.
An SRA is needed for all entities that maintain PHI, not just those who participate in quality payment programs (i.e., MIPS, Meaningful Use, etc.).
Under the HIPAA Security Rule, the Security Management Process standard requires organizations to "implement policies and procedures to prevent, detect, contain, and correct security violations." One of the required Security Management Process implementation specifications, specifically state covered entities and business associates must:
"Conduct an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information (ePHI) held by the organization."
Healthcare organizations are required to:
- Conduct an initial SRA when certified electronic health record (EHR) technology is implemented.
- Perform an initial assessment, or review and update an existing assessment during policies and procedures implementation. This way you can demonstrate your policies and procedures considered potential risks or threats and had a plan in place to address deficiencies.
- Subsequent SRA reviews and updates should occur at least annually if there are any changes to your EHR technology (e.g., a change to cloud-based instead of server-based) or policies and procedures that impact how ePHI is handled in your organization.
5 Best practices for performing an SRA
1. Avoid using "checklist" options when performing your initial and subsequent SRA submissions.
When preparing to perform an SRA you may discover there are several "checklist" options available on the internet. While these checklists can be useful tools for starting a risk analysis, they do not fulfill the requirements for performing a systematic SRA or documenting that one has been performed.
2. Conduct an initial SRA and identify any areas that are lacking or could use improvement.
Your initial SRA should require the most work upfront. The SRA encompasses all potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits.
3. Once these areas are identified, create an action plan to address these areas prior to your next SRA submission.
Your action plan should address how and when areas that are lacking or could use improvement will be addressed. For example, during the SRA if you determine that your password policy is lacking since it doesn't require unique IDs and strong passwords. Your action plan to address this could include that, during the next 90 days and prior to your next SRA submission, you will create a policy that requires unique IDs and strong passwords, as well as determining specific password requirements (at least 8 characters, multi-case, not easy to guess, etc.).
4. Even if you have installed and implemented a certified EHR, you must perform a full security risk analysis to fulfill quality payment program requirements.
Many professionals and organizations believe EHR vendors already address privacy and security issues. Additionally, in 2019 several MIPS program participants believe an SRA is not required. While it's true EHR vendors offer some information about security, it is actually a requirement for all covered entities and business associates to conduct a risk analysis. Even though an SRA is not scored for MIPS in 2019, it is still required under the Promoting Interoperability category.
5. Perform subsequent SRA reviews and updates at least on an annual basis thereafter - this means conducting an SRA is not a one and done process.
Failing to perform an SRA or have documentation demonstrating a HIPAA compliant assessment was performed continues to be a deficiency OCR is focused on. Healthcare organizations can protect themselves making sure their initial SRA is at least reviewed and/or updated, on an annual basis (or more frequently, if necessary).
Need to Perform an SRA?
Healthcare Compliance Pros can help you fulfill your requirements! Our SRA tool is designed to help identify areas that should be addressed, corrected and where policies and procedures may be missing. Once submitted, your SRA will receive a comprehensive review and custom action plan provided by one of our HIPAA professionals. We like to think of our SRA as living and breathing documentation of all the information that you entered previously, so you won't need to complete the entire SRA from scratch each year. Instead, you fill out what was addressed or corrected. This also allows you to show ongoing compliance efforts your organization has made as each SRA report that is marked complete is archived and accessible as needed.
Need additional assistance? We can come on site and perform an SRA, a HIPAA Walkthrough, and other assessments. Contact us for details and pricing: firstname.lastname@example.org or by phone: 855-427-0427