Top 7 Myths About HIPAA Security Risk Analysis

The Department of Health and Human Services Office for Civil Rights’ pilot program to conduct HIPAA privacy and security audits showed that the top deficiency among audited organizations was the lack of a sufficient risk analysis plan. Coalfire Systems, an IT security advisory, audit and testing services firm, advises avoiding seven common myths about a security risk analysis.

(Photo Credit: Fotolia)

Myth 1: A security risk analysis is optional for small providers. Myth 1: A security risk analysis is optional for small providers.

A risk analysis is mandatory for ALL covered entities and ALL providers seeking electronic health records meaningful use incentives. Further, cybersecurity researchers report that 30 percent of all data breaches occur within organizations of 100 or fewer employees.

Myth 2: Any certified EHR system will satisfy risk analysis requirements. Myth 2: Any certified EHR system will satisfy risk analysis requirements.

Security requirements cover all protected health information files providers maintain, which goes beyond EHR contents. Eighty-two percent of clinicians will spread their work across a smartphone, tablet and computer by the end of the year, continuously extending security perimeters.

(Photo Credit: Fotolia)

Myth 3: EHR vendors already address privacy and security issues for their customers. Myth 3: EHR vendors already address privacy and security issues for their customers.

EHR vendors often offer information about security, but the burden of configuring products to align with the HIPAA rules falls solely on providers. Organizations that are uncertain about their compliance management capabilities would be wise to seek assistance from outside experts.

(Photo Credit: Fotolia)

Myth 4: There is a single method of analysis that must be followed. Myth 4: There is a single method of analysis that must be followed.

Just as the operational risks faced by each organization remain unique, so too must the analyses they respond with. OCR guidance suggests all effective analyses should include: Identification of all PHI sources the organization comes in contact with and threats to that data; Human, digital and environmental threats to that data; and Assessment of current security measures and threat potential.

(Photo Credit: Fotolia)

Myth 5: Checklists will satisfy risk analysis requirements. Myth 5: Checklists will satisfy risk analysis requirements.

Checklists are valuable awareness aids, but they do little to facilitate the execution or documentation of analysis processes. The number of health information privacy complaints has risen in each of the last four years following HITECH Act implementation, suggesting significant room for improvement.

(Photo Credit: Fotolia)

Myth 6: A risk analysis only needs to be completed once. Myth 6: A risk analysis only needs to be completed once.

Continuous review, correction and modification of the security framework is required by HIPAA rules. Formal analyses are recommended annually, at a minimum.

(Photo Credit: Fotolia)

Myth 7: Each new analysis will start from scratch. Myth 7: Each new analysis will start from scratch.

Auditors need not reinvent the wheel each time. Perform a complete analysis upon EHR implementation, then update reports only as changes in practice or technology occur.

(Photo Credit: Fotolia)

For more information on Coalfire Systems, with 12 offices across the nation, click here .

The Department of Health and Human Services Office for Civil Rights’ pilot program to conduct HIPAA
privacy and security audits showed that the top deficiency among audited organizations was the lack of a sufficient risk analysis plan. Coalfire Systems, an IT security advisory, audit and testing services firm, advises avoiding seven common myths about a security risk analysis.

 

Already a subscriber? Log in here
Please note you must now log in with your email address and password.