The HIPAA Risk Analysis is so important that it is the first item defined in the HIPAA Security Rule, a requirement since 2005. It forms the basis of your HIPAA compliance program, and should be updated annually or more often if something significant changes within your IT environment. The HIPAA Risk Analysis is the roadmap you must follow to secure electronic Protected Health Information (ePHI) to ensure that you do not breach its confidentiality, integrity, or availability.

In February 2014 a Business Associate working for the LA County Department of Health caused a massive breach of 165,000 health records when 8 unencrypted laptops were stolen from Sutherland Healthcare Solutions

Proof of the importance of the HIPAA Risk Analysis is that a similar requirement is in Meaningful Use attestation Core Measure 15 to receive funding through the EHR Incentive Program. Also, recent HIPAA enforcement actions have cited a missing or old HIPAA Risk Analysis as the basis for HIPAA penalties and large fines (over $ 1 million.) This is something you need to do— and do well.

Meaningful Use Security Risk Analysis (SRA)

Core Measure 15 for Eligible Professionals requires an SRA related to the electronic Protected Health Information stored in their EHR system. The guidance does not mention HIPAA by name, but does refer to the Code of Federal Regulations section for the HIPAA Risk Analysis.  The SRA is focused on the data stored within your certified EHR system, but the assumption is that you have already implemented the HIPAA Security Rule safeguards. If you haven’t done a good job with HIPAA compliance, this can create a significant risk to your EHR data.

There has been a lot of confusion about the SRA based on incorrect information provided to practices. The US Department of Health and Human Services published a Myths and Facts document providing guidance. Two notable recommendations are that you may not use a simple checklist for your SRA, and that you should engage a professional if you want your SRA to survive an audit or investigation.

Key differences between HIPAA and Meaningful Use are that a HIPAA violation will usually be uncovered through one of the infrequent random HIPAA audits, or, also unlikely, as part of a data breach investigation. More frequent audits of practices attesting to Meaningful Use are taking place, and violations are being enforced through the federal False Claims Act.

Can you do this alone?

The HIPAA Risk Analysis is critical to your compliance program. You need it for HIPAA, to comply with Meaningful Use and avoid severe penalties, and to help you make the right decisions that will help you avoid or respond to a disaster. Worry Free Solutions will help you get it right the first time.

The US Department of Health and Human Services offered this advice in response to someone asking if they needed an outside expert to conduct their Security Risk Analysis.

Doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

Analyze the risks of doing your own HIPAA Risk Analysis and make a wise choice.

Contact Us About HIPAA Risk Analysis

  • This field is for validation purposes and should be left unchanged.