Your practice needs to conduct a security risk analysis when it adopts certified EHR technology in the first reporting year. In later reporting years, or when changes to the practice or electronic systems occur, your practice must conduct a review. If your practice finds any security updates and deficiencies in the review, you must include them in the risk management process. Also, your practice must implement or correct any elements as dictated by the process.
This tipsheet supplies an overview of the security risk analysis requirement. Meaningful use does not impose new or expanded requirements on the HIPAA Security Rule, nor does it require specific use of every certification and standard included in the certification of EHR technology.
Performing a Security Risk Analysis
Today many organizations store patients’ protected health information electronically, so the risk of a breach of their e-PHI, or electronically protected health information, is very real.
There is no single method or “best practice” that guarantees compliance, but most risk analysis and risk management processes have the below steps in common. Here are some considerations as you conduct your risk analysis:
Review the existing security infrastructure in your medical practice against legal requirements and industry best practices
Find potential threats to patient privacy and security and assesses the impact on the confidentiality, integrity, and availability of your e-PHI
Prioritize risks based on the severity of their impact on your patients and practice
Create an Action Plan
Once you have completed these steps, create an action plan to safeguard the confidentiality, integrity, and availability of the e-PHI, and make your practice better at protecting patients’ health information.
Your action plan will involve a review of your electronic health information system to correct any processes that make your patients’ information vulnerable. Make sure your analysis examines risks specific to your practice. For example, how do you store patient information—on an EHR system in your office, or on an Internet-based system? Each scenario carries different potential risks.
Your risk analysis may also reveal that you need to update your system software, change the workflow processes or storage methods, review and change policies and procedures, schedule more training for your staff, or take other necessary corrective action to eliminate identified security deficiencies.
Protecting Patients’ Electronic Information
Your security risk analysis will help you measure the impact of threats and vulnerabilities that pose a risk to the confidentiality, integrity, and availability of your e-PHI. Once you have completed the risk analysis of your practice’s facility and information technology, you will need to develop and implement safeguards to mitigate or lower the risks to your e-PHI. For example, if you want to assure continued access to patient information, you may need to add a power surge protection strip to prevent damage to sensitive equipment from electric power surges, move the computer server in a locked room, and become meticulous about performing information system backups.
The Security Rule requires that you put into place reasonable and proper administrative, physical, and technical safeguards to protect your patients’ e-PHI. The Security Rule allows you to tailor security policies, procedures, and technologies for safeguarding e-PHI based on your medical practice’s size, complexity, and capabilities—as well as its technical, hardware, and software infrastructure.
The following table shows some examples of some safeguards and processes you might put in place to mitigate security risks to your practice. These are only examples and your practice should not use this information as a comprehensive guide for lessening security risks. Your practice should set up reasonable and proper administrative, physical, and technical safeguards tailored to the size and complexity of your practice.