The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. Here, you will find the top 10 myths about HIPAA and get a HIPAA Security Risk Assessment Template free of charge!
Top 10 Myths of HIPAA Security Risk Assessment
As with any regulation, there may be unclear or misinformation making the rounds. IT and security (especially cybersecurity) can be full of terms you may not be familiar with. This list will help you determine what the facts are.
1. The security risk analysis is optional for small providers.
False. All providers who are covered entities, including funeral homes under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive Electronic Health Record (HER) incentive payments must conduct a risk analysis.
2. Simply installing a certified EHR fulfills the security risk analysis Meaningful Use requirement.
False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.
3. My EHR vendor took care of everything I needed to do about privacy and security.
False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.
4. I must outsource the security risk analysis.
False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge, especially in the IT field. The services of an experienced outside professional should be engaged.
5. A checklist will suffice for the risk analysis requirement.
False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis, and the documentation for each control in the risk assessment.
6. There is a specific risk analysis method that I must follow.
False. Risk analyses are performed by different people in countless ways. Best practice is to choose a framework and go through each control to determine if you are complying with HIPAA requirements.
7. My security risk analysis only needs to look at my EHR.
False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.
8. I only need to do a risk analysis once.
False. To comply with HIPAA, you must continue to review, correct, modify, and update security protections.
9. Before I attest for an EHR incentive program, I must fully mitigate all risks.
False. The EHR incentive program requires documenting and correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.
10. Each year my company needs to redo the security risk analysis.
False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice, or IT systems occur, review, and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of participation in the program.