A look at the calendar tells us that we only have a short time left in 2018. That means many practices will be looking to complete their Security Risk Assessments in order to either qualify for the 2018 Merit-based Incentive Payment System (MIPS) or to simply fulfill their obligations to comply with the HIPAA Security Rule.
It’s a good time to remember what exactly is required of a practice when conducting a Security Risk Assessment, as there tends to be quite a bit of confusion around what the Risk Assessment should include. The following are five quick reminders that might help as we move into the latter part of the year:
It’s Not Just a Checklist. A proper Security Risk Assessment is a thorough process where a covered-entity under HIPAA should identify, prioritize, and estimate the risks to practice operations resulting from the use of or implementation of a specific technology. Once the risks are identified, a plan of mitigation should be created that essentially provides a roadmap for ongoing risk management.
Don’t Just Focus On EMR. While your EMR system, and the safeguards in place to protect EMR data, should absolutely be part of the Risk Assessment process, you should also spend time assessing the risk to protected data that sits outside of the EMR system. First identify the ePHI in the practice that resides outsides of the EMR application (e.g. files stored on users’ personal computers, data stored in ancillary systems, copiers and scanners, etc.) and assess the risk associated with this data as part of the assessment.
There’s No Specific Methodology Required. While OCR has provided practices with guidance regarding the Security Risk Assessment Requirement, there is not a mandatory process or method by which a practice must follow in order to comply with the requirement. However, most security professionals recommend following accepted industry frameworks, such as those provided by the National Institute of Standards and Technology (NIST).
Revisit Previous Risk Assessments to Show Progress. When conducting a new Security Risk Assessment, review past analysis and make an effort to document progress made with regards to risk mitigation. As the spirit of the Security Rule has always been to encourage covered entities to use the Risk Assessment as a starting point for ongoing Risk Management, documenting progress made will show that the practice doesn’t simply consider the Assessment a rote exercise, but instead a vital part of managing risk on an ongoing basis.
You Don’t Have to Outsource Your Security Risk Assessment. OCR points out that there is no requirement, neither in the Security Rule nor under MIPS, for covered-entities to outsource their Security Risk Assessment. In fact, OCR has published a free, downloadable tool that practices can use to help with their efforts to fulfill requirements. However, OCR s goes out of its way to explain the time commitment and skill-set required to adequately utilize the tool, and encourages all covered-entities to seek professional assistance when considering using these resources to self-perform the Security Risk Assessment.
Keep in mind, a thorough Security Risk Assessment must be able to stand up to an auditor, especially in the evet of a security incident. A lack of proper Risk Analysis is cited in many investigative findings that have also carried large financial penalties. Take the time this year to consider how your practice is going to approach the Security Risk Assessment, and consider it as an opportunity to look at where you might be vulnerable and how the Assessment can be used as a springboard for true Risk Management in 2019.
Nick Cofield serves as Director of Client Services for Jackson Thornton Technologies.
You may not be getting all you can out of your browsing experience
and may be open to security risks!
Consider upgrading to the latest version of your browser or choose on below: