Introduction to Security Risk Assessment ( SRA) for Meaningful Use and HIPAA Compliance

RA-v2Whether enrolled in CMS Meaningful Use or falling under jurisdiction of HIPAA requirements, a thorough Risk Analysis/Assessment is a requirement to avoid penalties. During the process of claiming MU incentive payments, the organization must attest an SRA has been completed then would be forced to payback funds if unable to prove this has properly taken place, in the event of subsequent audit. A risk assessment in HIPAA compliance should be sufficient to cover Meaningful Use requirements, as HIPAA security rule involves “all information assets and media that create, receive, maintain or transmit ePHI.”

Whereas a Business Associate may not be involved in CMS incentive programs, they will generally be expected to enter a BA contract with any healthcare practice before conducting business, where the associate accepts responsibility to uphold such requirements on their end. Responsibilities of healthcare Business Associates also include performing a Security Risk Assessment, following the same guidelines yet covering the specific nature of their service.

EHR vendors often include a generic SRA document from the standpoint of their software, if considered certified EHR technology (CEHRT), yet the firm is also expected to have a customized action plan to address external threats. HHS/ONC have made available a Security Risk Assessment tool, available for installation on Microsoft Windows PC or Apple mobile operating systems, along with document formats:

HHS/ONC program is intended as a basic guideline for small practices, BA may need to factor different variables into the equation:
https://web.archive.org/web/20170824131656/https://www.healthit.gov/providers-professionals/security-risk-assessment-tool

As another option, NIST Security Rule Toolkit makes a point to include considerations for BA, intended for Windows, Mac, or Red Hat Linux:
http://scap.nist.gov/hipaa/

Such toolkits are not claiming use of the programs alone would be sufficient for meeting legal requirements; also these tend to assume users already have a fair level of understanding of the regulatory environment and security best practices.

PDF documents for SRA guidance provided by various organizations and government agencies:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
https://www.cms.gov/regulations-and-guidance/legislation/ehrincentiveprograms/downloads/securityriskassessment_factsheet_updated20131122.pdfhttps://www.ahia.org/assets/Uploads/pdfUpload/WhitePapers/MeaningfulUseWhitePaper05302012FINAL.pdf
http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

Additional references:
https://www.healthit.gov/providers-professionals/top-10-myths-security-risk-analysis
http://www.himss.org/News/NewsDetail.aspx?ItemNumber=34165
http://www.hrsa.gov/healthit/toolbox/HIVAIDSCaretoolbox/SecurityAndPrivacyIssues/howdoicomplywitmu.html
http://www.americanbar.org/publications/aba_health_esource/2013-14/may/understanding_the_onc.html

EHR 2.0 is now offering our own online toolkit, with a focus on usability for those without as much of a technical background, based on our consulting procedures which have assisted customers with compliance audits. Learn more about our do-it-yourself online security risk analysis toolkit for a small practice >>

Share this in :
  •  
  •  
  •  
  •  
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.