The HIPAA Security Risk Assessment (also called Security Risk Analysis or SRA) is perhaps the most misunderstood, yet arguably the most important component of HIPAA compliance in your practice. The SRA is the cornerstone of your HIPAA program and will be requested by CMS in the event of a Meaningful Use audit.
WHY ALL THIS FUSS ABOUT SRA?
Almost every day you pick up the newspaper or watch the news and find out about a new data breach. Data breaches are not welcome events, especially in healthcare. That is because medical information, particularly electronic patient health information (e-PHI) is worth a lot of money on the black market. It can be used to file fake tax returns, false health insurance claims and even to receive medical care or prescriptions. Data breaches don’t affect just large organizations such as hospitals and healthcare systems; there are many smaller organizations, such as clinics and private practices that have had breaches. Take a peek at the HHS Wall of Shame to see examples.
HHS IS TRYING TO DO EVERYTHING IT CAN TO REDUCE DATA BREACHES. HOWEVER …
Each organization that creates e-PHI (in other words, a covered entity) must do what they can to minimize the chance of a data breach. Note that the word “minimize” and not “eliminate” is used. While you can’t eliminate the risk, you can reduce the risk that a data breach will occur in your practice. Enter the Security Risk Assessment. This is the vehicle that is used for that purpose. That is why it has been listed as a Core Measure in Meaningful Use stages 1 and 2. Lack of a proper SRA is the number one reason why practices fail Meaningful Use audits. It is also a document you will be asked to produce in any HIPAA compliance review.
SO WHAT IS A SECURITY RISK ASSESSMENT?
It’s a process that will help you measure the impact of threats and vulnerabilities that pose a risk to the confidentiality, integrity and availability of your e-PHI. Once you have completed the risk assessment, you’ll need to develop and implement safeguards that reduce those risks. For example, many physicians carry laptops between the office and their homes, and these laptops may have e-PHI stored in reports, copies of letters, or other documents. If those laptops are lost or stolen, you might have a reportable data breach. So once you’ve identified the risk during your Security Risk Assessment, you can then mitigate that risk by encrypting the laptops.
The process of performing a Security Risk Assessment is complicated, but here is an overview of how you might approach it:
- Inventory patient information — Conduct an inventory of where patient information is stored, accessed or transmitted. Most people think of EHRs as their only source of patient records, but patient information can be in a Microsoft Word document in the form of patient letters, or Excel spreadsheets as billing reports, or scanned images of insurance explanation of benefits (EOB). These documents could be on desktops or laptops. Patient information could also reside in emails or text messages on smartphones or tablets.
- Assess current security measures — An SRA looks at how patient information is currently protected. How often does the practice perform data backups? Is there a termination procedure? Do employees have the minimum level of access to patient information? Are all portable devices secured and protected?
- Evaluate common threats to patient information — The SRA will identify threats, assess their likelihood, and evaluate the potential impact if the threat were to occur. Common threats include employees pilfering patient records, fire or flood, lost or stolen laptops containing patient information, or faxing clinical information to the wrong fax number — to name just a few. While a fire or flood may not be very likely to occur, its impact can be devastating if your data is not backed-up appropriately. Frequent travel with a laptop containing unprotected information on your full patient population would like be assessed as both high risk and high impact.
- Recommend additional security — An SRA includes identifying additional security measures to prevent a specific threat and/or reduce its impact. For example, limit who can take laptops out of the office, or ensure that the data on laptops is properly protected and that they’re safely locked in a secured cabinet.
PERFORMING AN SRA IS NOT AN EASY THING TO DO.
It requires someone who has experience in these matters and is an expert in HIPAA, computer networking and cybersecurity. You probably have an accountant prepare your practice’s taxes and a lawyer review legal agreements. The same concept applies to the SRA. In fact, CMS provides an SRA Tipsheet that includes the statement: “…it is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”
Based on the cybersecurity landscape, the risks of a data breach, increased HIPAA penalties and the prevalence of MU Audits, Coronis now recommends that the SRA for your practice be performed by an expert, outside third-party. While many information technology firms offer this service, they are frequently focused on the complex needs of hospitals and health systems along with correspondingly high fees.
We’re pleased to have identified HIPAA Secure Now as a vendor with appropriate expertise and working knowledge of small and mid-size practices. They provide guidance and tools to develop a full SRA along with sample policies and on-line training for your staff.
Note: Billing clients of Coronis that elect to use HIPAA Secure Now products can receive a 15% discount. Contact your client analyst to obtain the discount code.