A HIPAA Risk Analysis creates an understanding for an organization to know what their current compliance level with HIPAA is and where risks within their compliance program exist. HOWEVER, a lot of confusion is created when determining how to complete a HIPAA Risk Analysis. It is important that each Covered Entity and Business Associate understand the risk analysis and ensure the risk analysis is being properly conducted for their specific organization. Understanding common myths to the risk analysis can help an organization create the risk process and task to complete their risk analysis.
Myth #1 – The Security Risk Analysis is optional for small providers. FALSE
All providers who are classified as a covered entity or a business associate must complete a HIPAA Risk Analysis in order to comply with the HIPAA Security Rule Section 164.308(a)(1). The HIPAA Security Rule doesn’t define how often the Risk Analysis must be completed, but rather it must be complete and risks identified must be addressed and corrected.
Myth #2 – By Installing a Certified Electronic Health Record (EHR), the Security Risk Analysis Requirement is Complete. FALSE
Even though the certification process requires that EHRs meet some baseline security requirements, it does not satisfy the entire HIPAA Privacy Rule and HIPAA Security Rule regulations. The Risks Analysis is intended to look at all practices and process that involved protected health information, electronic, verbal, paper, or other media. Regardless if the healthcare organization has a certified EHR, an electronic practice management system, or a paper base practice, a risk analysis needs to be completed.
Myth #3 – My EHR vendor took care of everything I need to do about privacy and security and the risk analysis. FALSE
The EHR Vendor may have some of the requirements for compliance under the HIPAA Security rule such as contingency plans for back up and restoration of data; however, the covered entity is responsible for the overall compliance with the HIPAA Privacy and Security regulations. While an EHR vendor may be able to assist with the process, the covered entity needs to ensure the risk analysis is completed, which evaluates their practices for privacy and security. Many of times these practices include other sources of protected health information (PHI) outside of the EHR.
Myth #4 – I have to outsource the security risk analysis. FALSE
The HIPAA Security Rule doesn’t define the process for conducting the HIPAA risk analysis. There are many tools out there to help and assist with conducting a HIPAA risk analysis, both free and paid services. It is really the preference of the covered entity or business associate as how the risk analysis will be conducted and if they choose to outsource the process. Having the knowledge and expertise to conduct a complete and thorough risk analysis is an important aspect of the completion of the risk analysis.
Myth #5 – A checklist will suffice for the risk analysis requirement. FALSE
A checklist can by useful and helpful as you are conducting a risk analysis; however, it should not be the only tool used when conducting the risk analysis. Covered entities and business associates need to ensure that policies and procedures are in place; physical, technical, and administrative safeguards are implemented; and that the physical space is reviewed as part of the comprehensive risk analysis. Think of it as evaluating the policies and procedures, reviewing implemented safeguard (technical, administrative, and physical), understanding the auditing and monitoring processes, and evaluating employee education.
Myth #6 – There is a specific risk analysis method that I must follow. FALSE
The HIPAA Security Rule doesn’t define a specific methodology for the security risk analysis to be completed. Allowing the security rule to have scalability to each specific organization, the Office for Civil Rights has only issued guidance on the security risk analysis. It is up to the specific covered entity or business associate to determine how the risk analysis will be performed and the type of documentation that will exist on the findings. The only item to keep in mind that it needs to be effective on identifying risk to the PHI that the organization creates, maintains, transmits and stores and well as there needs to be effective and efficient risk management to implement appropriate safeguards to reduce the risks identified. Additionally, each time that a risk analysis is completed, a formal report should be created including the date, process, and findings.
Myth #7 – My security risk analysis only needs to look at my EHR and the PHI we store in it. FALSE
It is important that the covered entity and business associate review and evaluate every device and system that store, capture, transmit, or modify protected health information. The review should range from reviewing all computers, laptops, and tablets to all copy machines and smart phones that may access PHI. Additionally, safeguards need to be in place for all paper that is created, maintained, stored, and destroyed by the covered entity or business associate.
Myth #8 – I only need to do a risk analysis once. FALSE
The HIPAA Security Rule doesn’t define how often a security risk analysis should be conducted; however, in order to comply with the regulations, a covered entity or business associate must continue to review, correct, identify, modify, and update security protections that the organization has. A policy and procedure should be created to manage the HIPAA risk analysis and risk management process within an organization. If an organization is receiving Medicare or Medicaid EHR Incentive Program funds, a risk analysis needs to be completed or updated for each EHR reporting period.
Myth #9 – Before I attest for an EHR incentive program, I must fully mitigate all risks identified in the Risk Analysis. FALSE
The EHR incentive program, also known as Meaningful Use, requires that an eligible provider or eligible hospital correct and/or address any deficiencies identified during the risk analysis during the reporting period or as part of the risk management process.
Myth #10 – Each year, I’ll have to completely redo my security risk analysis. FALSE
A full security risk analysis should be conducted when you adopt the EHR, do major changes to your systems, or implement new regulations regarding privacy and security. Each year or when changes to your practice or electronic systems occur, review and update the risk analysis for changes in the risks to your practice.
Conducing a risk analysis can be a challenging process that takes time and resources to complete. A risk analysis that is properly completed allows an organization to identify risks and fix them before a major security incident or data breach occurs. Don’t take this requirement lightly, make sure you take the time and complete the risk analysis! Reviewing the corrective action plans and fines assessed by the federal government, failure to complete a risk analysis is a top finding in the documentation. Unsure how to complete a HIPAA Risk Analysis, check out TriPoint Healthcare Solutions's Services!