I’ve been writing about the need to do a HIPAA Risk Assessment since it was included as part of meaningful use. Many organizations have been really confused by this requirement and no doubt it will be an issue for many organizations that get a meaningful use audit. It’s a little ironic since this really isn’t anything that wasn’t already part of the HIPAA security rule. Although, that illustrates how well we’re doing at complying with the HIPAA security rule.
It seems that CMS has taken note of this confusion around the HIPAA risk assessment as well. Today, they sent out some more guidance, tools and resources to hopefully help organizations better understand the Security Risk Analysis requirement. Here’s a portion of that email that provides some important clarification:
A security risk analysis needs to be conducted or reviewed during each program year for Stage 1 and Stage 2. These steps may be completed outside OR during the EHR reporting period timeframe, but must take place no earlier than the start of the reporting year and no later than the end of the reporting year.
For example, an eligible professional who is reporting for a 90-day EHR reporting period in 2014 may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed between January 1st and December 31st in 2014. Fore more information, read this FAQ.
*Conducting a security risk analysis is required when certified EHR technology is adopted in the first reporting year.
*In subsequent reporting years, or when changes to the practice or electronic systems occur, a review must be conducted.
CMS also created this Security Risk Analysis Tipsheet that has a lot of good information including these myths and facts which address many of the issues I’ve seen and heard:
Finally, it’s worth reminding people that the HIPAA Security Risk Analysis is not just for your tech systems. Check out this overview of security areas and example measures to secure them to see what I mean:
Have you done your HIPAA Risk Assessment for your organization?