Request a Live Demo

Please take a minute to tell us about yourself

* All fields required

View our Privacy Policy  or  Terms and Conditions.


Thanks! We'll be in touch soon!

In the meantime, please feel free to give us a call at 800.981.5084, explore the site or check out a video.

An error occured

Please feel free to give us a call at 800.981.5084


athenahealth logo


CloudView blog

Ideas and insights to help health care providers stay informed and profitable in today's challenging health care environment.

When Security Risk Assessment is Only Half the Picture

by Rich Devlin, Co-Founder and CEO, Sentry Healthcare Informatics

Many healthcare providers find themselves begrudgingly performing a HIPAA Security Risk Assessment (SRA) in order to apply for Meaningful Use attestation.  The SRA is just one of four parts of HIPAA, the federal mandate all healthcare providers must comply with annually, and a requirement for any MU application.  It’s also just one piece of providers’ yearly compliance obligation for Protected Health Information (PHI) security, necessary for a host of other federal healthcare programs besides MU.

Providers who focus solely on the SRA risk simply aren’t maximizing their compliance opportunities or eligibility for federal programs.  By fully complying with all four parts of HIPAA--Compliance Program, Privacy Controls, Security Controls and IT Asset Risk Analysis--healthcare providers can cover the necessary risk assessment required for Meaningful Use, MACRA, MIPS and any other federal healthcare program.

A yearly risk assessment, which includes the SRA, takes on average more than two hours and should be performed by a professional who uses an online system to follow a structured, repeatable process.

So, what’s involved in a HIPAA risk assessment?

A comprehensive Compliance Program assessment

Providers should undertake a thorough review of the seven core elements of a compliance program: Policies & Procedures, Training, Personnel, Communications, Sanctions, Risk/Audit/Monitoring and Mitigation. Consider:

  • Are your HIPAA policies up to date, approved, implemented and effective?
  • Do you have written procedures for your policies?
  • How often do you train your employees on your HIPAA policies and procedures?
  • Who performs the training? What are their qualifications?
  • Describe how you perform annual risk assessments, and follow up with mitigation response?
  • How are you monitoring for HIPAA Compliance? Do you perform internal audits?

Privacy and Security Controls

Evaluate privacy and security control policies, procedures, implementation and effectiveness regarding General Authorization, Uses and Disclosures, and Administration of Policies and Procedures. Examples include:

  • Authorization to disclose patient PHI to organizations necessary to carry out treatment, payment, and healthcare operations
  • Authorization requirements for psychotherapy notes
  • Ability to request and (if reasonable) accommodate requests to receive confidential communications of e-PHI 

IT Asset Risk Assessment

The IT Asset risk assessment is the longest and most involved part of the HIPAA risk assessment. It requires the participation of the office manager, IT manager, and sometimes the practice executive. The process begins with an inventory of all the software, hardware, business associates, medical records and facilities owned and operated by the healthcare provider. The software running on the firm’s intranet that actually touches PHI needs to be cataloged, as well as the hardware it runs online. Examples include desktop PC’s, LAN equipment, laptops and smart phones. The IT Asset risk assessment follows the NIST cybersecurity procedure, looking at threats, vulnerabilities, safeguards, likelihood, impact and aggregate risk. Safeguards are further described as managerial, operational and technical controls. These safeguards are maintained by NIST.

Order of Operations

Each of the four parts of the HIPAA risk assessment is followed by a mitigation plan that identifies elements for remediation. Vulnerabilities exist across the spectrum, from weaknesses in training, or incomplete password procedures on an intranet that touches PHI. For each weakness, gap or deficiency, the provider must develop a corresponding mitigation plan.  All mitigation plans roll up into an executive summary.

Don’t Delay

Performing a yearly HIPAA risk assessment is federally mandated.  To the surprise of many, an SRA alone does not achieve complete compliance and leaves providers’ exposed to major fines and Meaningful Use penalties. Sentry’s Spartan Healthcare Risk Management platform follows a complete, accurate and timely approach to completing a HIPAA risk assessment. 

For more information on this process, visit Sentry Healthcare Informatics on the athenahealth Marketplace.  If you’re an athenahealth client, join Steven Marco, President of HIPAA One; Rich Devlin, CEO of Sentry Healthcare Informatica; and Jonathan Seery of athenahealth for a webinar on Wednesday, June 29th at 1pm EST on the history of HIPAA and the SRA requirement, what makes an SRA successful and audit-proof, and what you can do NOW to kick off your SRA and ensure compliance

athenahealth clients, click here to register for this event.

Rich Devlin is the technical architect behind Sentry’s Spartan Healthcare Risk Management platform and its lead consultant to healthcare providers and business associates performing HIPAA / SRA risk assessments.  Coming to healthcare with a successful risk management platform developed and deployed for banks complying with federal regulations, Mr. Devlin brings a collaborative, robust, scalable system to meet the needs of the small to the large.  Mr. Devlin’s background ranges from applications software development to large computer systems design.  He was the Senior Product Manager for the two most successful server product lines in the history of Digital Equipment Corporation.  He developed CAD/CAE software in semiconductor research and circuit simulation.  Mr. Devlin additionally has been a successful salesperson / marketer / product line manager for small software firms.  He graduated from Holy Cross with an AB in Mathematics and Physics, and a MBA from Babson College.

View full profile and posts from author

Cloudview Blog

Ideas, insights and analysis to help physicians, medical groups and health systems stay informed and profitable in today's challenging health environment.

Latest from Twitter

Post your comment


This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.