After you spend enough time in one position, role or subject, it is human nature to assume for a fleeting moment others know what you are “geeking” about. This is particularly true when it comes to Meaningful Use and to “Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities.” This is accomplished by doing the following: “Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1)…”
Was that a good example? Let me take it back out of the “geek” closet for a moment.
So we all know that this thing called a HIPAA Security Risk Analysis can be done using tools like spreadsheets, ONC’s Security Risk Assessment Tool, and NIST Questionnaires. Ironically, none of these tools assure you are doing the right “thing” unless you have some sort of Auditor and Security designation (e.g. JD, CISA, CISSP, HCISPP, and CHPS among others), let alone provide any sort of guarantees. But as the old saying goes, “You get what you pay for.”
Using a professional, third-party Audit, Legal, Security or IT Managed Service Provider (outsourced IT) usually provides good results as long as they are accredited (see above paragraph on basic credentials). They go in to the organization interviewing, collecting some documentation, running scans on the networks and provide a comprehensive, detailed project plan to achieve compliance. Somewhere between 4-6 weeks after the flurry of activity is over, and the world moves on, the final report appears.
The HIPAA Security Risk Analysis and Assessment (SRA) report is a combination of art, content, and most-importantly; it highlights serious risks to the organization. Except there is one problem – you now need a project deployment team to convert this static SRA report into an ongoing risk management plan (prioritized by risk-level), get status reports on tasks, research Policies and Procedures, track progress, send email or meeting reminders, and track all of this towards HIPAA compliance.
This is a huge administrative burden!
Then there are the Myths…
Myth #1 – We will update the plan from last year’s SRA for Meaningful Use reporting and attestation.
HIPAA One® take: False – this is called updating the progress of last year’s security risk management plan (see more in Myth #2 below).
Myth #2 – Each year, I’ll have to completely redo my security risk analysis.
False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks…
HIPAA One® take: Things change on a constant-basis. Roles change, network computer systems are changed to meet new requirements, and internal processes change too.
“Updating the prior analysis for changes in risks.” means conducting a gap assessment and risk analysis on any of those items that changed from last year. Since tracking these changes is a near-impossible task (ITIL Change Management processes are being widely-adopted to tackle this), HIPAA One® will allow a full-import of last-year’s HIPAA Security Risk Analysis (SRA) allowing a review of each question to see what has changed. Ongoing tracking is built-in after the SRA is over and automated documentation requirements simplify audit responses by pressing a “Print” button.
Myth #3 – I have to outsource the security risk analysis.
HHS Privacy and Security Guide of Health Information, page 6
False. It is possible for small practices to do a competent risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”
HIPAA One® take: If you haven’t had a third-party come in the past 3 years, or ever, then we would strongly recommend outsourcing one to ensure your efforts stand up to a compliance review. The first year of compliance efforts are expensive however, year 2 should be roughly 50% of what year 1 is as investments are implemented. The Security Risk Analysis should contribute to that 50% savings by automating the mundane, error-prone and labor-intensive steps to conduct the risk analysis. HIPAA One® accomplishes this by accelerating each person’s efforts by a 5x factor; using automation vs any manual-based risk analysis while learning from the experience. In year 2 this allows you, the non-certified auditor, to simply press the “Import Last Year’s Assessment” button and HIPAA One® allows you to insource, instead of outsource.
We have tried to stay out of the geek-closet for this blog as much as possible and realize this is a very jargon-clad specification. Let us at HIPAA One® along with our esteemed partners help provide the software, assurance and peace-of-mind for your organization. Contact us today to get your Meaningful Use HIPAA Security Risk Analysis done before the Holidays!