Many healthcare providers find themselves begrudgingly performing a HIPAA Security Risk Assessment (SRA) in order to apply for Meaningful Use attestation. The SRA is just one of four parts of HIPAA, the federal mandate all healthcare providers must comply with annually, and a requirement for any MU application. It’s also just one piece of providers’ yearly compliance obligation for Protected Health Information (PHI) security, necessary for a host of other federal healthcare programs besides MU.
Providers who focus solely on the SRA risk simply aren’t maximizing their compliance opportunities or eligibility for federal programs. By fully complying with all four parts of HIPAA--Compliance Program, Privacy Controls, Security Controls and IT Asset Risk Analysis--healthcare providers can cover the necessary risk assessment required for Meaningful Use, MACRA, MIPS and any other federal healthcare program.
A yearly risk assessment, which includes the SRA, takes on average more than two hours and should be performed by a professional who uses an online system to follow a structured, repeatable process.
So, what’s involved in a HIPAA risk assessment?
A comprehensive Compliance Program assessment
Providers should undertake a thorough review of the seven core elements of a compliance program: Policies & Procedures, Training, Personnel, Communications, Sanctions, Risk/Audit/Monitoring and Mitigation. Consider:
- Are your HIPAA policies up to date, approved, implemented and effective?
- Do you have written procedures for your policies?
- How often do you train your employees on your HIPAA policies and procedures?
- Who performs the training? What are their qualifications?
- Describe how you perform annual risk assessments, and follow up with mitigation response?
- How are you monitoring for HIPAA Compliance? Do you perform internal audits?
Privacy and Security Controls
Evaluate privacy and security control policies, procedures, implementation and effectiveness regarding General Authorization, Uses and Disclosures, and Administration of Policies and Procedures. Examples include:
- Authorization to disclose patient PHI to organizations necessary to carry out treatment, payment, and healthcare operations
- Authorization requirements for psychotherapy notes
- Ability to request and (if reasonable) accommodate requests to receive confidential communications of e-PHI
IT Asset Risk Assessment
The IT Asset risk assessment is the longest and most involved part of the HIPAA risk assessment. It requires the participation of the office manager, IT manager, and sometimes the practice executive. The process begins with an inventory of all the software, hardware, business associates, medical records and facilities owned and operated by the healthcare provider. The software running on the firm’s intranet that actually touches PHI needs to be cataloged, as well as the hardware it runs online. Examples include desktop PC’s, LAN equipment, laptops and smart phones. The IT Asset risk assessment follows the NIST cybersecurity procedure, looking at threats, vulnerabilities, safeguards, likelihood, impact and aggregate risk. Safeguards are further described as managerial, operational and technical controls. These safeguards are maintained by NIST.
Order of Operations
Each of the four parts of the HIPAA risk assessment is followed by a mitigation plan that identifies elements for remediation. Vulnerabilities exist across the spectrum, from weaknesses in training, or incomplete password procedures on an intranet that touches PHI. For each weakness, gap or deficiency, the provider must develop a corresponding mitigation plan. All mitigation plans roll up into an executive summary.
Performing a yearly HIPAA risk assessment is federally mandated. To the surprise of many, an SRA alone does not achieve complete compliance and leaves providers’ exposed to major fines and Meaningful Use penalties. Sentry’s Spartan Healthcare Risk Management platform follows a complete, accurate and timely approach to completing a HIPAA risk assessment.
For more information on this process, visit Sentry Healthcare Informatics on the athenahealth Marketplace. If you’re an athenahealth client, join Steven Marco, President of HIPAA One; Rich Devlin, CEO of Sentry Healthcare Informatica; and Jonathan Seery of athenahealth for a webinar on Wednesday, June 29th at 1pm EST on the history of HIPAA and the SRA requirement, what makes an SRA successful and audit-proof, and what you can do NOW to kick off your SRA and ensure compliance
athenahealth clients, click here to register for this event.