Security Risk Assessment for Meaningful Use/MACRA and HIPAA Compliance

ehr-sra-175Conducting Meaningful Use security risk assessment is REQUIRED for all eligible professionals or hospitals attesting to Meaningful Use (MU) in 2016 and MACRA in 2017 to receive incentive payments and avoid any monetary penalties. Any organization that is a Covered Entity or Business Associate under HIPAA regulations MUST complete an annual security risk assessment, then maintain a supporting risk management plan for potential HHS/OCR audit.  

Why now?

Meaningful Use security audits are actively being conducted by Figliozzi and Company on pre-payment and post-payment basis, and several firms have forfeited large sums of incentive payments by failing to produce proper supporting documentation. In addition, the quality payment program a.k.a MACRA requires security risk analysis measure to be completed. Also, HIPAA Phase 2 audits are specifically being focused on comprehensive security risk assessment of all ePHI produced, stored or transmitted. Theft and unauthorized transfer of medical records is a lucrative criminal enterprise, and reported data breaches have resulted in severe financial loss; risk assessment is one of the most effective methods to avoid these incidents. In addition, risk analysis is the first step in HIPAA security rule compliance efforts.

Why EHR 2.0?

A Meaningful use security risk assessment checklist or HIPAA risk assessment checklist is not sufficient to handle advanced persistent threats on patient data. Certified security experts at EHR 2.0 take a systematic approach in meeting this requirement and include audit support guarantee. Decades of experience in successfully conducting a technical risk analysis,  and our best practice-based online toolkit platforms, with guidance drawn from various authoritative sources, help not only meet the compliance requirements but also secure your practice.

Ready to conduct SRA?  Choose one of the options below:

Online DIY Security Risk Assessment (SRA) Toolkit

  • Perform SRA in-house with user-friendly tool
  • Generate action plans from pre-populated solutions
  • Download and print reports instantly
  • Optional consulting service
  • Security awareness training for staff
  • External network and web vulnerability scan

Security Risk Analysis Consulting Service

  • Performed by a consultant with security certifications
  • Cutomized action plans and prioritizations
  • Documents required by auditors prepared on your behalf
  • CMS, HHS/OCR, & OIG audit support gurantee
  • Security awareness training for staff
  • External network and web vulnerability scan
 

Our step-by-step approach:hipaa-security-risk-analysis

  1. Defining the scope of the security risk analysis
  2. Inventorying ePHI systems
  3. Assessing current security measures and reviewing past security risk assessment report
  4. Determining the likelihood of threat occurrence
  5. Identifying risks using automated and manual vulnerability analysis
  6. Prioritizing implementation
  7. Documentation of findings
  8. Security risk assessment report
    • Summary Report
    • Action Plan
  9. Annual update

If you want to learn more about the process and regulatory requirements, we also recommend the following resources:

Top 10 Myths about SRA

Top 10 myths of security risk analysis by Health IT.gov

ehr-sra-175

Meaningful Use security requirements by CMS

Guide for conducting risk assessments by NIST

Basics of risk analysis and risk management by HHS

hipaa-security-risk-analysis

Conducting or reviewing a security risk analysis for eligible professionals, hospitals, or critical access hospitals’ core objective measures as part of modified Stage 2 or Stage 3.

Additional Resources

Sample stamp

Sample Meaningful Use security risk assessment template >>

DOWNLOAD Blue Square Button

Download our white paper on Meaningful Use security risk analysis >> 

Related Posts Crossword

 See our related blog posts on Meaningful Use security risk analysis >>

View Recorded

View on-demand webinar on Meaningful Use attestation >>

Subscribe for Updates

Upcoming Events

  1. Managing the Risks of a Healthcare Data Breach

    April 6 @ 12:00 pm - 1:30 pm