Conducting and reviewing a security risk analysis (SRA) is perhaps one of the most important HIPAA requirements and Meaningful Use requirements your organization will undertake. An SRA is an ongoing process of continual improvements your organization should address to ensure the privacy and security of your patients' protected health information - not just a one-and-done process.
Occasionally, organizations believe that once an SRA has been performed for the year that they are out of the woods. The problem with that belief is that an SRA should include a corrective action plan to correct identified security deficiencies identified during the SRA process. The following sections will discuss the importance of performing a SRA for Stage 1 and Stage 2 Meaningful Use, when the SRA should be performed, why a corrective action should be part of your organization's risk management process, and the importance of a SRA in the event of an audit.
A Stage 1 and Stage 2 Requirement
Did you know that a security risk analysis needs to be conducted or reviewed during each reporting period for Stage 1 and Stage 2 Meaningful Use?
This means all Meaningful Use participants regardless of which Stage you are in must conduct or review a SRA during each reporting period. Organizations are required to conduct an SRA when certified EHR technology is adopted in the first reporting year; then, conduct or review their SRA during each reporting period:
In Stage 1 Meaningful Use, Core Measure 13's objective states:
Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
The Measure for this objective:
Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
There is no exclusion available for this requirement.
The objective for Stage 2 is similar:
Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.
However, the measure for Stage 2 includes additional requirements:
Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process for EPs.
Like Stage 1, there is no exclusion available.
Corrective Action Plan
"Correct identified security deficiencies as part of the provider's risk management process" is an important part of the SRA process that is often overlooked. As part of the risk analysis, any areas that are lacking or could use improvement that were identified should be addressed, corrected, and any missing policies and procedures should be implemented.
For example, during your SRA you determine your organization does not have a documented disaster recovery plan (DRP). A missing or incomplete DRP should be a high priority focus that is addressed in your action plan. Remember, your SRA identifies deficiencies; high priority deficiencies should be addressed and corrected as part of your corrective action plan prior to your subsequent SRA submission. Your corrective action plan is not only beneficial for SRA purposes - it is important documentation to have in the event your organization is investigated by Office of Civil Rights (OCR) because of a breach.
In the event of an audit
Did you know a lack of documentation demonstrating an SRA was conducted during the Meaningful Use Reporting Period is one of the leading causes of failed audits? As part of the audit process, you will be asked for your SRA that was completed for the specified reporting period. A missing SRA or an SRA that is incomplete may result in penalties or worse, no incentive payment for that attestation year.
Conducting and reviewing a security risk analysis (SRA) is one of the most important HIPAA requirements and Meaningful Use requirements your organization will undertake. A lack of documentation demonstrating a SRA was conducted during the Meaningful Use Reporting Period is one of the leading causes of failed audits. Your corrective action plan should ensure any deficiencies identified during the SRA process and remedied prior to your next reporting period.
If you have any questions, or would like additional information about performing a SRA, please feel free to send us an email at firstname.lastname@example.org or reach us by phone toll-free at 855-427-0427.
Chad Schiffman is the Director of Research & Development with Healthcare Compliance Pros. Chad's background includes over 15 years combined experience in Healthcare, Information Technology and Customer Service. Chad holds degrees in the areas of Medical Specialties and Healthcare Administration, and a master's degree in Healthcare Informatics.