If you thought that your office didn’t need to conduct a security risk analysis because your providers aren’t participating in the Meaningful Use program, you’d be wrong.
Conducting a security risk assessment is a key requirement of the HIPAA Security Rule, and all healthcare provider groups and business associates must be able to prove they have conducted a security risk analysis in the event of an HHS audit.
March 1st – 7th, 2015 is National Consumer Protection Week, and healthcare providers can do their part by complying with the HIPAA Security Rule. Even if you are never audited, failing to conduct a security risk analysis means that you are potentially compromising the security of the PHI (personal health information) of your patients, as well as your own organization’s confidential information.
HIPAA requires that covered entities “implement policies and procedures to prevent, detect, contain, and correct security violations” by conducting “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by the [organization].”
Fortunately, the ONC has made this process a whole lot easier for healthcare organizations to be compliant when they released a downloadable Security Risk Assessment Tool (SRA Tool) in 2014.
The downloadable SRA tool guides you through the process of conducting your own HIPAA Risk Assessment. This tool is not required by the HIPAA Security Rule, but is meant to assist providers and professionals as they perform a risk assessment. The tool provides an exportable report to provide to auditors in the event of a HIPAA audit.
Here is our step-by-step tutorial on conducting your own Security Risk Assessment using the SRA Tool from the ONC:
Navigate to the CMS website for the download: https://www.healthit.gov/providers-professionals/security-risk-assessment-tool and select the type of preferred download (iPad or Windows) from the right sidebar. You can also download below by clicking on the appropriate SRA Tool version.
Once you have downloaded and saved the tool, run the application.
In the top right corner, enter first/last name/ initials and click the Tab button on you keyboard, and select “Log In”. Once logged in, read the disclaimer and “Start Assessment” in the lower right corner.
You may also enter data related to the practice, business associates, and asset inventory by clicking on each tab. This is not required to complete the assessment.
Every question will allow for a yes/no response and a “flag” field for later completion.
At the bottom, complete the likelihood there will be breach in protected health information, and what impact a breach of data might have to the clinic/organization. Click “Next Question” when complete.
In the upper right area, each question provides 3 informational tabs (optional use).
On the lower right area, 3 more tools may be used for clarification (optional).
When finished with the assessment questionnaire, click “Report” at the bottom of the screen; choose the preferred export method: