Conducting or reviewing a security risk analysis is required to meet the standards of the HIPAA Security Rule. This requirement is included in the meaningful use guidelines of the Medicare and Medicaid EHR Incentive Programs. Eligible professionals must conduct or review a security risk analysis in both Stage 1 and Stage 2 of meaningful use. This ensures the privacy and security of their patients’ protected health information.
Security Risk Analysis: Protecting Patients' Health Information
| Stage 1 and Stage 2 Meaningful Use Requirement: Protect Electronic Health Information | ||
|---|---|---|
| Objective | Measure | Description of HIPAA requirement |
| Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. | In Stage 1, eligible professionals must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. | Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Once you have completed the risk analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels. (45 CFR 164.308(a)(1)(ii)). |
Your practice needs to conduct a security risk analysis when it adopts certified EHR technology in the first reporting year. In later reporting years, or when changes to the practice or electronic systems occur, your practice must conduct a review. If your practice finds any security updates and deficiencies in the review, you must include them in the risk management process. Also, your practice must implement or correct any elements as dictated by the process.
This tipsheet supplies an overview of the security risk analysis requirement. Meaningful use does not impose new or expanded requirements on the HIPAA Security Rule. It also does not require the use of every certification or standard included in certified EHR technology.
Performing a Security Risk Analysis
Today, many organizations store patients’ protected health information electronically. This makes the risk of an e‑PHI breach very real.
There is no single method or “best practice” that guarantees compliance. However, most risk analysis and risk management processes have the following steps in common. Here are some considerations as you conduct your risk analysis:
Review the existing security infrastructure in your medical practice. Make sure it aligns with legal requirements and industry best practices.
Find potential threats to patient privacy and security. Then assess how they affect the confidentiality, integrity, and availability of your e‑PHI.
Prioritize risks based on the severity of their impact on your patients and practice.
Create an Action Plan
Once you complete these steps, create an action plan to protect the confidentiality, integrity, and availability of your e‑PHI. This will help your practice better safeguard patients’ health information.
Your action plan will include a review of your electronic health information system. This helps you identify and correct any processes that put your patients’ information at risk. Make sure your analysis examines risks specific to your practice. For example, consider whether you store patient information on an in‑office EHR system or an Internet‑based system. Each scenario carries different potential risks.
Your risk analysis may reveal the need to update your system software or change workflow processes and storage methods. It may also show that you should revise policies and procedures, schedule more staff training, or take other corrective actions to address identified security deficiencies.
Protecting Patients’ Electronic Information
Your security risk analysis helps you measure the impact of threats and vulnerabilities. It shows how they may affect the confidentiality, integrity, and availability of your e‑PHI. Once you have completed the risk analysis of your practice’s facility and information technology, you will need to develop and implement safeguards to mitigate or lower the risks to your e-PHI. For example, if you want to ensure continued access to patient information, you may need to add power surge protection to prevent equipment damage. You may also need to move the computer server to a locked room and be meticulous about performing system backups.
The Security Rule requires that you put into place reasonable and proper administrative, physical, and technical safeguards to protect your patients’ e-PHI. The Security Rule allows you to tailor your security policies, procedures, and technologies to safeguard e‑PHI. You can base these decisions on your practice’s size, complexity, capabilities, and technical infrastructure.
The following table shows some examples of safeguards and processes you might put in place to mitigate security risks to your practice. These are only examples, and your practice should not treat them as a comprehensive guide. You should not use this information as your only resource for lessening security risks. Your practice should set up reasonable and appropriate administrative, physical, and technical safeguards tailored to its size and complexity.
| Security Risk Analysis Myths and Facts | |
|---|---|
| Myth | Fact |
| I have to outsource the security risk analysis. | False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional. |
| A checklist will suffice for the risk analysis requirement. | False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed. |
| There is a specific risk analysis method that I must follow. | False. A risk analysis can be performed in countless ways. |
| My security risk analysis only needs to look at my EHR. | False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use. |
| I only need to do a risk analysis once. | False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. |
| Before I attest for an EHR incentive program, I must fully mitigate all risks. | False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) according to the timeline established in the provider’s risk management process, not the date the provider chooses to submit meaningful use attestation. The timeline needs to meet the requirements under 45 CFR 164.308(a)(1), including the requirement to “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [45 CFR ]§164.306(a).” |
| Each year, I’ll have to completely redo my security risk analysis. | False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under meaningful use, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of participation in the program. |
Myths and Facts
The following table addresses common myths about conducting a risk analysis and provides facts and tips that can help you structure your risk analysis process.
| Security Areas to Consider | Examples of Potential Security Measures |
|
|---|---|---|
| Policies & Procedures | • Written policies and procedures to assure HIPAA security compliance • Documentation of security measures |
• Written protocols on authorizing users • Record retention |
| Administrative Safeguards | • Designated security officer • Workforce training and oversight • Controlling information access • Periodic security reassessment |
• Staff training • Monthly review of user activities • Policy enforcement |
| Technical Safeguards | • Controls on access to EHR • Use of audit logs to monitor users and other EHR activities • Measures that keep electronic patient data from improper changes • Secure, authorized electronic exchanges of patient information |
• Secure passwords • Backing-up data • Virus checks • Data encryption |
| Organizational Requirements | • Business associate agreements | • Plan for identifying and managing vendors who access, create or store PHI • Agreement review and updates |
| Physical Safeguards | • Your facility and other places where patient data is accessed • Computer equipment • Portable devices |
• Building alarm systems • Locked offices • Screens shielded from secondary viewers |
For more information, including a ten-step plan for health information privacy and security, review ONC’s Guide to Privacy and Security of Health Information.
How to Maintain HIPAA Title II Compliance
Responsibility for patient care and office efficiency falls on healthcare practice owners. At the same time, they must navigate constantly changing industry requirements, including HIPAA compliance and MIPS reporting. This affects any business that holds Patient Health Information (PHI).
Download our FREE HIPAA Compliance Cheat Sheet to help you navigate HIPAA requirements with confidence.
