Security Risk Assessment

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

The HIPAA Security Rule mandates that covered entities must conduct a security risk assessment or SRA. This includes health care plans for individuals, government plans (Medicare, Medicaid, Obamacare), and employer-sponsored plans. Providers that conduct electronic health care transactions must comply with the Security Rule. This means conducting an SRA. It is recommended that this occurs on an annual basis. If you are audited, you will be required to show your SRA. As this is considered a living document, any changes that occur within your business would merit an update to the SRA. Aside from your initial HIPAA implementation, this would include if a breach has occurred, any large-scale updates to your software or hardware systems, and if the length of time between assessments has gone beyond two years.

What Is In the SRA?

The SRA will review key areas of your business within the administrative, technical, and physical safeguards that you have in place. The Administrative Safeguards would identify plans and policies. How do you deal with employees that violate those? How often are they reviewed and how will you handle a breach? Technical Safeguards outline the protection of electronic PHI. You must identify a plan for data backup, disaster recovery, and how your business will run in the case of an emergency. Finally, Physical Safeguards address physical assets within the business. This includes providing and controlling access to your office and the protection of patient files.

Poor Excuse

Do not feign ignorance about the gaps in your security program and HIPAA compliance. This can be an issue if you are audited. Providers mistakenly think that if they don’t conduct an SRA, they aren’t liable for what they don’t know. Denying accountability is not an excuse. Since there are no specifics outlined by HIPAA on how an SRA should be conducted, there are many methodologies that can be found.

This article was originally published on HIPAA Secure Now! and is republished here with permission.