Healthcare practices have an obligation to conduct a risk assessment that ensures compliance with HIPAA’s administrative, physical, and technical safeguards, and reveals areas where their protected health information (PHI) could be at risk. Depending on many factors including size of the practice, sophistication of information systems and others, organizations must determine safeguards that are required to be implemented, while having reasonable and equal alternatives for those that may be too complex.
It is increasingly important for healthcare practices to take security seriously. In fact, turning a blind eye on security should not an option.
Just last year, there was a common finding for each enforcement activity. The majority of organizations the Office for Civil Rights (OCR) settled with failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI. These organizations did not perform a Security Risk Analysis (SRA) at all or failed to complete one that was sufficient for HIPAA regulations.
An SRA is Still a Quality Payment Program Requirement
Occasionally we are asked if performing an SRA is still a requirement under the Merit-Based Incentive Payment System (MIPS) Promoting Interoperability Performance Category. The question generally is asked when a practice notices a score will not be provided. While it’s true you will not receive a “score” for performing or reviewing an SRA, it is still a requirement for the Promoting Interoperability Category Score.
If you turn a blind eye and fail to complete the SRA requirements, you will receive no score in the Promoting Interoperability performance category, regardless of whether other measures in this category are reported.
Do Not Delay – Perform Your SRA!
Each year, we receive several SRAs at the end of the year. Because we receive so many at the end of the year, it is difficult to ensure each report is reviewed and responded to marked prior to the new year. To prevent any delays or having your SRA show a reviewed date for the following year, we highly recommend getting your SRA done early. This will allow sufficient time for your SRA to be reviewed and returned to you prior to MIPS attestation.
If you would like more information about the SRA process please feel free to send us an email at [email protected] or reach us by phone toll-free at 855-427-0427.