Join us for this year's MIPS Made Easy Webinar Series!

«  View All Posts

4.5 MIN READ.

Performing Your Annual Security Risk Assessment

By: Nextech | June 22nd, 2021

Performing Your Annual Security Risk Assessment Blog Feature

Performing a regular security risk analysis (SRA) helps your practice stay HIPAA-compliant and protect patient data. A MIPS SRA also boosts your Merit-based Incentive Payment System score, leading to a higher chance of receiving a Medicare reimbursement at the end of the year. 

These benefits are great for any specialty healthcare practice, but they aren’t guaranteed. They only come with a properly conducted SRA that ensures the right administrative, physical, and technical safeguards are in place. Let’s unpack the benefits and process of conducting a MIPS SRA.

What Is a Security Risk Assessment?

A security risk assessment is an assessment of your practice’s cybersecurity. It tests administrative, physical, and technical safeguards, identifying any risks. You can think of it like an annual checkup for your data security. 

And similar to an annual checkup, it serves multiple purposes. The first is to ensure your practice is compliant with HIPAA and MIPS. The Centers for Medicare & Medicaid Services (CMS) indicate “MIPS-eligible clinicians must attest YES to conducting or reviewing a security risk analysis and implementing security updates as necessary and correcting identified security deficiencies.” Failure to complete the required actions for the Security Risk Assessment results in NO SCORE for the Promoting Interoperability (PI) performance category in MIPS, regardless of whether other measures are successfully reported.

Beyond compliance, SRAs also protect your practice against cyberattacks. In 2024, cyberattacks in the healthcare space are on the rise, making data security more important than ever before.

Why Is SRA Important?

First and foremost, the SRA is a required component of the HIPAA Security Rule. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organizations. 

Other benefits of a SRA include:

  • Reveal areas where protected health information (PHI) could be at risk
  • Ensure patient data is safe
  • Comply with MIPS program requirements 

What Is MIPS?

Fully understanding MIPS is essential to conducting an effective SRA. MIPS changed how Medicare rewards clinicians, focusing on value over volume. Practices who participate in MIPS can earn performance-based payment adjustments for services provided to Medicare patients. 

With MIPS, performance is measured through data that clinicians report in four categories: quality, promoting interoperability, improvement activities, and cost. Failure to conduct an SRA will lead to no points in the promoting interoperability category. 

Why Is MIPS Important?

MIPS doesn’t just measure your practice’s performance. It compares performance against other healthcare organizations and creates adjustments to Medicare payments based on how well your practice performs. MIPS is a losers pay winners scenario — you can be fined, have no adjustment, or receive a reimbursement. 

Groups or individuals who receive a perfect score of 100 in 2023 will receive a +8.25% on all 2025 Medicare Reimbursement. Groups with less than ideal scores will receive little to no adjustments or be fined. 

Some staff for the Dermatology Associates of West Texas used to experience stress around MIPS reporting. The process was confusing, and their strategy was to achieve a neutral status with MIPS — they were not expecting to receive reimbursements. 

Once the West Texas office invested in the right EHR, everything changed. Officer manager Kitty Arp reflects, “We had never received MIPS bonuses before. We were always scoring just neutral enough to avoid negative adjustments. We weren’t even really expecting to receive any bonuses. We just didn’t want to lose money due to penalties. But now, we are receiving that incentive money and we want to keep that going.”

The SRA Tool

The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), developed a downloadable SRA Tool that guides providers through the process. 

The tool is designed to help providers perform an SRA as required by the HIPAA Security Rule and the CMS Electronic Health Record (EHR) Incentive Program. 

It can be downloaded to the desktop of choice and the report can be saved to a file location of choice. It also allows you to return and continue your SRA year after year.

Any data you enter into the SRA Tool is stored locally on your computer or tablet. HHS does not receive, collect, view, store, or transmit any of the information that you put in the SRA Tool. 

The results of the assessment are displayed in a report you can use to identify risks related to your policies, processes, and systems. Methods to fix weaknesses are provided while you are performing the assessment. Note that the target audience of this tool is medium-to-small practices. Keep in mind that it may not be appropriate for larger practices.

With proper use of the SRA tool, your practice can successfully pass compliance audits. The tool must be used and completed, with mitigation plans in process and continued assessment for ongoing risk. Think of it like a continual cycle of screening and be aware that new risks can occur at any time. If new risks pop up, your SRA will need to be updated to reflect them.

Maintaining SRA Documentation 

The risk analysis process should be ongoing. For a practice to update and document its security measures “as needed,” which the HIPAA Security Rule requires, it should conduct a continuous risk analysis to identify when updates are needed.

The rule does not specify how often an SRA should be performed as part of a comprehensive risk management process. The frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every three years), depending on the circumstances of their environment.

If you are participating in the MIPS program, you do not need to complete the full assessment every year. However, you must be able to demonstrate that you reviewed the work plan that was created from your initial assessment each year and that you are working to complete your identified mitigation strategies. You should perform the full assessment at least every other year.

How to Conduct a MIPS SRA 

Conducting a MIPS SRA can be complicated, but your practice can create a repeatable process to speed it up. The first step toward a great SRA process is to designate the SRA to the right staff member. Choose someone in the office who can block out time in their schedule to conduct an annual SRA and address any security threats as they arise. 

Ideally, this person is also familiar with how electronic health records are organized and how your practice’s administrative workflow operates. Once the SRA pro has been identified there are four key steps they should take for each SRA. 

Step 1: Complete the SRA Assessment

When conducting an SRA, there are five threat types to watch out for: 

  • Physical safeguards: Ensure computer screens are shielded from patients/people in the waiting room/unauthorized persons. 
  • Administrative safeguards: Audit the policies to protect privacy and see if there are any vulnerabilities in them. 
  • Technical safeguards: Check that all data is encrypted and stored safely. 
  • Policies and procedures: Analyze protocols for authorized staff members and identify any weak spots. 
  • Organizational requirements: Review any business associate agreements and highlight any threats or vulnerabilities. 

Step 2: Create a Security Work Plan

After conducting the assessment and finding any potential risks, the next step is to mitigate them. To do so, your designated SRA assessor should create a security work plan. 

A security work plan is essentially a project management plan by another name. When done properly, your work plan will clearly articulate and outline the steps needed to achieve a department-level or company-level end goal by baking in milestones, deliverables, resources, budgetary requirements, and a timeline to pull everything into a readable plan.

Before beginning your work plan, consider using SMART goals: Specific, Measurable, Achievable, Relevant, and Time-related. This should help you start your plan with a clear goal in mind.

Step 3: Save a PDF Summary

After completing your security risk assessment, you should save a PDF summary. This can be used to identify the total risks and potential gaps that your practice has in each of the different assessment sections. This should also break down the risk into high, medium, and low priorities so you can properly work on the ones that need immediate attention first.

Step 4: Enact the Security Work Plan

Now that the PDF summary is saved and there’s a work plan created, it’s time for action against any identified security threats. Before starting, consider consulting an external resource, such as your EHR vendor’s regulatory experts, to see if there’s anything else you should do. These experts can also help you determine if there are better ways to resolve issues than you had originally considered in your plan. 

How to Avoid Problems 

Even if you follow the four steps outlined above, you may run into problems as you conduct an SRA. Fortunately, there are steps you can take today to avoid security issues. 

Some of the best tips include:

  • Keep hardware and software up to date.
  • Make sure key technologies, such as your EHR and practice management software, meet regulatory standards.
  • Clearly define procedures for authorized staff and update them regularly.
  • Make sure data is stored on a cloud-based EHR to protect patient safety (especially with the increased risk of healthcare cyberattacks in 2024).
  • Prepare for the SRA ahead of time so it’s not a surprise and schedule it into your workflow.

Best Technology for Security Risk Analysis 

Along with the federal government’s free SRA tool, there are a few supplementary technologies to enhance security or make the SRA easier. 

Some of the best ones to consider include:

  • Cloud-based EHR: A cloud-based EHR stores encrypted patient data on a secure cloud-based server. 
  • Protected PM software: Along with protecting data stored on an EHR, ensure your PM software meets security and compliance regulations. 
  • MIPS calculator: Too many practices are unsure what their MIPS score is until it’s too late. To be proactive about MIPS, invest in a MIPS calculator. Some EHR/PM software, including Nextech’s solution, includes this type of tool.
  • Integrated payment systems: To protect financial data, invest in a robust payment system that integrates smoothly with other practice technologies. 

These tools, however, are only as good as the people using them. Working with personnel who understand how to use the technology and get the most out of it is invaluable. While your staff members can be a resource, your technology vendors should also provide access to a tech-savvy customer service team. 

Managing Regulatory Updates and Compliance Requirements

By conducting an SRA each year, you will be able to identify potential risks associated with your practice and create a detailed security work plan to correct any of these issues. A thorough SRA takes a bit of organization and planning. But when done right, it ensures your practice’s continued success.

And you don’t have to do it alone. A high-quality EHR will come with support, including regulatory experts who can help your practice maintain compliance, whether it relates to security, MIPs, or other regulations. 

Schedule a demo to learn more about how Nextech can help your practice with a MIPS Security Risk Assessment.