While you’re taking care of patients, who’s protecting their health information? Ignoring security problems can be very costly. Protecting patients’ health information is not only vital to your business, it is critical to providing patient care.
The Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule requires all organizations that create, receive, maintain or transmit electronic protected health information (ePHI) to conduct an annual security risk analysis. It requires you to evaluate risks and vulnerabilities, and implement security measures to protect ePHI. The Security Rule includes all your business associates as well.
A security risk analysis (SRAs) evaluates your risks and vulnerabilities, including security measures to safeguard patients’ protected health information (PHI). A comprehensive SRA cannot be conducted and deficiencies corrected, without extensive knowledge of HIPAA privacy and security rules and the ever-evolving information security technologies.
AFMC now offers SRAs as a private pay service. Our certified, experienced, health information technology (IT) professionals can make sure that your practice:
- Complies with HIPAA’s required annual SRA
- Identifies and mitigates security risks
- Has privacy and security policies that are individualized for your practice
- Has access to the best practices to protect patients’ health information
- Complies with the requirements of incentive programs that mandate an SRA
- Has the required reports and supporting documentation
- Keeps pace with changing technology and information environments (SRAs must be completed/updated when you add new technology or make any change that could affect ePHI)
AFMC has the certified and experienced health IT professionals to handle this requirement so you can take care of patients. AFMC’s SRAs include proprietary tools and processes that address the technical, administrative and physical safeguards. In addition to our on-site assessment, we now offer a new virtual assessment.
Here’s why SRAs are important:
- If the Department of Health and Human Services (HHS) audits your practice, conducts a random compliance review or complaint investigation, but you cannot produce a current and complete SRA, HHS can impose a fine for that alone. If an audit or investigation identifies a HIPAA data breach or other compliance issue, SRA-related flaws add to the civil penalty amount, even if the breach was unrelated to your SRA.
- SRAs can identify threats and vulnerabilities, helping to protect against data breaches.
- Completing an SRA and correcting deficiencies is a core requirement of many incentive and quality-improvement programs, including electronic health record (EHR) Meaningful Use incentive payments. A deficient SRA is the primary reason organizations fail EHR audits.
- Annual SRAs are required to satisfy Medicare’s standards for Quality Payment Program (QPP) Merit-based Incentive Payment System (MIPS).
- A comprehensive SRA can help identify security gaps so you can address them with a corrective action plan.
Conducting an annual SRA, or review, is required by HIPAA law if you are an entity that creates, stores or transmits PHI. If the Office of Civil Rights, or state entity audits or investigates your practice, you must submit a tremendous amount of detailed documentation, including:
- Policies, procedures and evidence of security efforts
- Proof of prevention, detection, containment and correction of security violations
- Authentication methods for authorized PHI users
- Business associate agreements
- List of all staff and contractors with access to PHI
- Details about encryption, decryption and destruction of PHI
SRA specialists can save time, money and reduce the chances of missing a potential vulnerability. They can minimize intrusion on day-to-day operations without diverting your IT staff from critical support functions, allowing office staff to focus on patients and the practice.
For nearly 10 years, AFMC has successfully helped practices and providers complete their SRAs. Don’t take your annual SRA lightly, too much depends on the security of your patients’ PHI and the financial health of your practice.
To learn more, visit SRA@afmc.org, or contact your AFMC representative at 501-906-7511. There is no cost for your initial phone consultation. You may also visit afmc.org and choose the “Services” tab at the top of the page. Then select Security Risk Analysis at the drop-down menu and complete the online request form. We will contact you within one business day.