The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. According to HIMSS’ 2014 Security Survey, a security risk analysis is the best process for a healthcare organization to gain a complete understanding of its security profile—the threat environment, system vulnerabilities, and overall risk exposure.
Risk analysis is a key requirement of the HIPAA final security rule and has been a requirement for healthcare organizations for many years. If you are participating in Meaningful Use, you are required to perform an annual risk analysis BEFORE the end of the reporting period to which you are attesting and, if risks are identified, to “implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.”
When you attest for Stage 1 or 2, you are attesting to the fact that your practice is in compliance with this piece of the HIPAA Security Rule. In some states (Ohio), even just signing up for Meaningful Use will require that you affirm you are in compliance with all aspects of HIPAA. If you are subject to a meaningful use audit, you need to send a copy of your security risk analysis as part of the supporting documentation. Not only is the absence of a security risk analysis the most common reason we see for failing a meaningful use audit but, it also puts you in jeopardy with the Office of Civil Rights, the branch of Health and Human Services tasked with enforcing HIPAA.