Security Risk Assessments
Security Risk Assessment

Protecting Patient Health Information via Security Risk Assessment (SRA)

Health care providers of all organization sizes and types have data at risk. Breaches of sensitive data, including electronic protected health information (ePHI) occur on a regular basis.

The Department of Health and Human Services Office for Civil Rights (OCR) started a new phase of their audit program where they randomly evaluate practice’s compliance with the HIPAA Privacy & Security Rules. As part of this new phase, OCR is conducting on-site and off-site audits. All practices should ensure they are prepared for such an audit, since any HIPAA covered entity can be selected.

During the 2016 calendar year, a total of 450 unique covered entities had at least one data breach that resulted in the compromise of protected health information. The health care industry averaged more than one data breach per day in 2016. With the rise of ransomware, threat actors have more ways than ever to breach your data. March Health Data Breaches, April 13, 2017. (Retrieved from https://www.protenus.com/blog/march-health-data-breaches-time-to-report-improving-but-time-to-discovery-still-troubling)

What is the objective of an SRA?

Patient information is necessary to perform medical care but can be very damaging if it falls into the wrong hands. Patients can be victimized by fraud, identity theft, loss of privacy, or improper modification of their medical records. Health care organizations that breach patient data can be subject to financial penalties, lost revenue, bad publicity, and legal action. Loss of access to health information can seriously impede an organization’s ability to provide care, even grinding all healthcare operations to a halt for severely affected entities. Securing patient information is necessary to ensuring adequate medical care can be provided. This is why patient information is protected by law under HIPAA rules. The Quality Payment Program and the EHR Incentive Program highlight the critical need for information security by making security risk analysis a prominent requirement in each.

 

Quality Payment Program (MACRA/MIPS) Advancing Care Information measure

“Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with requirements in 45 CFR164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician's risk management process.”

Eligible Clinicians must meet this requirement in order to receive the 50% base score and be able to receive a score in the Advancing Care Information category.

 

EHR Incentive Program (Meaningful Use) measure

“Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI created or maintained by CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP, eligible hospital, or CAH’s risk management process.”

Eligible Professionals must meet the SRA requirement to attest to Meaningful Use for a given year. The SRA must occur during the year for which they are attesting and prior to attestation.

 

Please see the M-CEITA SRA fact sheet for more information.

M-CEITA has helped thousands of providers ensure compliance with the Meaningful Use Risk Assessment requirement. We can help you, too.

 

 

 


 

 

Altarum logo that links to Altarum website

 

M-CEITA is facilitated by Altarum Institute. Copyright © 2016 Altarum Institute. All Rights Reserved.
Association Management Software Powered by YourMembership  ::  Legal