Performing Your Annual Security Risk Assessment

Performing a regular Security Risk Assessment (SRA) will help an organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps practices discover areas where protected health information (PHI) could be at risk. To learn more about the assessment process and how it can benefit your organization, we recommend visiting the Office for Civil Rights' official guidance.

In this blog, we will discuss the importance of performing an SRA as well as using the SRA Tool and maintaining proper SRA documentation.

Why the SRA is Important

First and foremost, the SRA is important because it is a required component of the HIPAA Security Rule. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organizations. A risk assessment helps your organization maintain compliance with HIPAA’s administrative, physical and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk.

Your annual SRA remains an important part of the MIPS program. Failure to complete the required actions for the Security Risk Assessment will result in NO SCORE for the Promoting Interoperability (PI) performance category in MIPS, regardless of whether other measures in this category successfully reported. Without completing the SRA, you will not be able to receive any of the 25 possible points for the PI category.

The SRA Tool

The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), developed a downloadable SRA Tool to help guide providers through the process. The tool is designed to help providers perform an SRA as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program. It can be downloaded to the desktop of choice and the report be saved to a specific file location of choice, and it also allows you to return and continue your SRA year after year.

Any data you enter into the SRA Tool is stored locally to your computer or tablet. HHS does not receive, collect, view, store or transmit any of the information that you put in the SRA Tool. The results of the assessment display in a report you can use to identify risks related to your policies, processes and systems. Methods to fix weaknesses are provided while you are performing the assessment. Note that the target audience of this tool is medium-to-small practices. So, keep in mind that it may not be appropriate for larger practices.

With proper use of the SRA tool, your practice can successfully pass compliance audits. It is important that the tool has been used and completed, with mitigation plans in process and continued assessment for risk ongoing. Think of it like a cycle of screening that really doesn’t ever stop and know that new risks can occur at any time. In the event that they do, your SRA will need to be updated to reflect these possible risks.

Maintaining SRA Documentation

The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed [45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii)]. The Security Rule does not specify how often an SRA should be performed as part of a comprehensive risk management process. The frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every 3 years), depending on circumstances of their environment. If you are participating in the MIPS program, you do not need to complete the full assessment every year. However, you must be able to demonstrate that you reviewed the workplan that was created from your initial assessment each year and that you are working to complete your identified mitigation strategies. You should perform the full assessment at least every other year.

It is important to create a security workplan to guide your mitigation of risks discovered during your security risk assessment. A security workplan is essentially a project management plan by another name. When done properly, your workplan will clearly articulate and outline the steps needed to achieve a department-level or company-level end goal by baking in milestones, deliverables, resources, budgetary requirements and a timeline to pull everything into a readable plan.

It’s usually best suited to large projects and initiatives but can really be used on any level. Before beginning your workplan, consider using SMART goals: Specific, Measurable, Achievable, Relevant and Time-related. This should help you start your plan with a clear goal in mind.

After completing your security risk assessment, you should save a PDF summary that you can use to help identify the total risks and potential gaps that your practice has in each of the different sections of the assessment. This should also break down the risk into priorities of high, medium and low so you can properly work on the ones that need immediate attention first.

Be Ready with an SRA

By doing a properly conducted and regularly scheduled SRA, you will be able to identify potential risks associated with your practice and create a detailed security workplan to correct any of these issues. Doing this takes a bit of organization and planning. If done right, however, it will ensure your practice’s continued success.

To learn how Nextech’s team of regulatory experts can help your practice maintain compliance, fill out this form and we will contact you soon!