Whether enrolled in CMS Meaningful Use or falling under jurisdiction of HIPAA requirements, a thorough Risk Analysis/Assessment is a requirement to avoid penalties. During the process of claiming MU incentive payments, the organization must attest an SRA has been completed then would be forced to payback funds if unable to prove this has properly taken place, in the event of subsequent audit. A risk assessment in HIPAA compliance should be sufficient to cover Meaningful Use requirements, as HIPAA security rule involves “all information assets and media that create, receive, maintain or transmit ePHI.”
Whereas a Business Associate may not be involved in CMS incentive programs, they will generally be expected to enter a BA contract with any healthcare practice before conducting business, where the associate accepts responsibility to uphold such requirements on their end. Responsibilities of healthcare Business Associates also include performing a Security Risk Assessment, following the same guidelines yet covering the specific nature of their service.
EHR vendors often include a generic SRA document from the standpoint of their software, if considered certified EHR technology (CEHRT), yet the firm is also expected to have a customized action plan to address external threats. HHS/ONC have made available a Security Risk Assessment tool, available for installation on Microsoft Windows PC or Apple mobile operating systems, along with document formats:
HHS/ONC program is intended as a basic guideline for small practices, BA may need to factor different variables into the equation:
As another option, NIST Security Rule Toolkit makes a point to include considerations for BA, intended for Windows, Mac, or Red Hat Linux:
Such toolkits are not claiming use of the programs alone would be sufficient for meeting legal requirements; also these tend to assume users already have a fair level of understanding of the regulatory environment and security best practices.
PDF documents for SRA guidance provided by various organizations and government agencies:
EHR 2.0 is now offering our own online toolkit, with a focus on usability for those without as much of a technical background, based on our consulting procedures which have assisted customers with compliance audits. Learn more about our do-it-yourself online security risk analysis toolkit for a small practice >>
Latest posts by EHR 2.0 (see all)
- Trump Administrations’ Effect on Healthcare Organizations - January 23, 2017
- HIPAA Fine for Lack of Timely Breach Notification - January 11, 2017
- HIPAA Compliance 2016 Year in Review - January 9, 2017