The HIPAA Security Rule requires physician groups to perform a Security Risk Analysis (SRA) regularly to achieve compliance. But what does “regularly” mean, and how does it impact you?
Our own Kelly Benson, a Solutions Consultant here at DeliverHealth, and Arielle Van Peursem, National Partner Manager for our friends at Medcurity, helped answer that question and more in their recent article, Security Risk Analysis – How Physician Groups Can Meet HIPAA Compliance, in For the Record magazine.
- Given the rise in cybersecurity concerns and threats against hospitals, physician practices, and medical groups, our experts recommend performing an SRA annually at a bare minimum.
- An SRA is more than “checking the box” for the federal government. When done properly, an SRA identifies risks and vulnerabilities related to inappropriate access to protected health information (PHI).
- Changes coming to the Merit-Based Incentive Payments Program (MIPS) in 2022 will make it impossible to achieve MIPS without an SRA. Organizations must score at or above 85% to qualify for the MIPS exceptional performance bonus, and one of the four MIPS categories, Promoting Interoperability (PI), accounts for 25% of the overall score. Without an SRA, the entire category gets thrown out.
- An SRA that meets MIPS requirements must include all three safeguards in the HIPAA Security Rule (administrative, physical, and technical), along with the implementation of a risk management plan to update security deficiencies identified in the SRA.
- Failing to properly perform an SRA is a costly choice. If you just “check the box” without completing an SRA, you could be considered in willful neglect and subject to the highest-tiered penalty of $50,000 per record exposed.
- While your IT staff contributes to the development of security policies, most organizations will need an objective third-party expert to conduct an SRA that meets federal guidelines.
Learn more—including why the free SRA spreadsheet provided by the U.S. Department of Health & Human Services is only a starting point—in the full article.