Businesses and organizations subject to HIPAA are required to undergo an annual review of their administrative, physical, and technical safeguards for Protected Health Information. An annual Security Risk Analysis uncovers potential weaknesses in security policies, processes, and systems. After your first comprehensive SRA, each subsequent SRA will only need to be reviewed and updated to reflect changes within your organization.
The HHS Office of Civil Rights announced that SRAs auditing is a top priority this year. After a disastrous round of audits in 2012 – when 68% of audited organizations had adverse findings – this second round of HIPAA audits is expected to be more pragmatic and comprehensive.
While technology has contributed greatly towards HIPAA compliance, you should be aware of the following myths…
MYTH #1: “My EHR vendor takes care of everything I need to do about HIPAA compliance.”
False . . . Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product; however, responsibility for compliance with HIPAA Privacy and Security Rules lies with you. It is solely your responsibility to have a complete SRA conducted.
MYTH #2: “Simply installing a certified EHR fulfills the SRA Meaningful Use (MU) requirement.”
False . . . Even with a certified EHR, you must perform a full SRA. Security requirements address all electronic protected health information you maintain, above and beyond your EHR.
MYTH #3: “A complete SRA only needs to look at my EHR.”
False . . . A complete review covers all electronic devices that store, capture, or modify protected health information. This Includes all software and devices that can access your EHR data, e.g., your tablet, smart phone, etc. Remember that copiers also store data, and special rules apply to access of remote data.
At RWA, we pride ourselves in our ability to conduct a proper SRA; please let us know if we can help in any way! Call us at 877-385-1928 or email us at firstname.lastname@example.org