I’ve been writing about the need to do a HIPAA Risk Assessment since it was included as part of meaningful use. Many organizations have been really confused by this requirement and no doubt it will be an issue for many organizations that get a meaningful use audit. It’s a little ironic since this really isn’t anything that wasn’t already part of the HIPAA security rule. Although, that illustrates how well we’re doing at complying with the HIPAA security rule.
It seems that CMS has taken note of this confusion around the HIPAA risk assessment as well. Today, they sent out some more guidance, tools and resources to hopefully help organizations better understand the Security Risk Analysis requirement. Here’s a portion of that email that provides some important clarification:
A security risk analysis needs to be conducted or reviewed during each program year for Stage 1 and Stage 2. These steps may be completed outside OR during the EHR reporting period timeframe, but must take place no earlier than the start of the reporting year and no later than the end of the reporting year.
For example, an eligible professional who is reporting for a 90-day EHR reporting period in 2014 may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed between January 1st and December 31st in 2014. Fore more information, read this FAQ.
Please note:
*Conducting a security risk analysis is required when certified EHR technology is adopted in the first reporting year.
*In subsequent reporting years, or when changes to the practice or electronic systems occur, a review must be conducted.
CMS also created this Security Risk Analysis Tipsheet that has a lot of good information including these myths and facts which address many of the issues I’ve seen and heard:
Finally, it’s worth reminding people that the HIPAA Security Risk Analysis is not just for your tech systems. Check out this overview of security areas and example measures to secure them to see what I mean:
Have you done your HIPAA Risk Assessment for your organization?
Hi John.
Thanks for a great post. This is a great summary and provides quick reference to a lot of important information. I forwarded to the pertinent folks in our network because I though it would be a good refresher.
Thanks,
Kalan
Thanks Kalan. Glad you found it useful. I found the myths and facts answered a lot of questions I had and confirmed many of the answers to things I’d heard. I appreciate you sharing it.
In a world where HIPAA confusion abounds, John leads the industry in taking complex concepts and distilling the information into simple and easy to understand ideas that can be put into practice by any provider. What a wealth of information!
Keep up the good work!
Thanks Bobby. I appreciate the kind words. We do what we can to contribute to the conversation. Although, I can’t take too much credit for the above. I just found it and shared. Thanks to CMS for providing something that’s simple.
This is a big help when you are wading through copious notes looking for answers. Thank you John
Linda,
If all government regulation could be so clear.
There’s a great book out there that gives step by step instructions and spreadsheet templates for working through your own risk assessment. I’ve been quite impressed with it.
http://www.amazon.com/gp/product/B00L1HYMKK/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00L1HYMKK&linkCode=as2&tag=crashutah-20&linkId=5RZLA44UFA32GA6J
Like taxes, financials and proof reading your term papers, you generally want a “fresh set of eyes” to accomplish your risk assessment.
“Of course you’d say this, John, this is what you do…”.
True, but if 80% + of the practices I looked at got it right…heck, even got close to understanding what they need to do, I’d agree.
Think about if for a moment:
You are piling all of your PHI into one place. Once screw-up could actually fine you out of business. Most of your staff are so uninformed about safe computer use, it’ll make your hair hurt.
Computer security has become a big thing for you now.
I’d also like to point out this:
“In subsequent reporting years, or when changes to the practice or electronic systems occur, a review must be conducted.”
is NOT an excuse to skip risk assessments.
You’d be hard pressed to argue with an HHS auditor that you had zero changes to your EHR or computer system over a years period.
[…] case you missed it, you might want to start with the Security Risk Analysis Myths and Facts that EMR and HIPAA posted previously. It covers such topics as security risk analysis’ being […]