A security risk assessment must be conducted to maintain HIPAA compliance per the Security Rule. A security risk assessment is also referred to as an SRA. It is a requirement for government plans such as Medicare, Obamacare, and Medicaid. It is also required for individual health care plans and employer-sponsored plans.
Where to Start
Identify the following within your business regarding the electronic protected health information or ePHI that your business handles:
- List all ePHI that is created, maintained, received, and transmitted
- Document all external sources of ePHI. Identify which vendors create, receive, maintain and transmit the data
- Identify the threats to all systems that contain ePHI. This should include the human, natural, and environmental factors
The potential risks to your business can be identified as addressable or required. If you are unable to offset the risk, you should determine and document exactly why.
Once you’ve outlined which ePHI you have and how it is maintained, you’ll determine how it’s handled. This should include:
- How do you screen personnel that has access to ePHI
- Which data to backup and how you will do that
- Identify your encryption method
- Identify which data should be authenticated to protect data integrity
- How you will protect PHI as it is transmitted
A complete SRA
These are just starting points to completing your SRA. But you must first know what you have to best understand your risk and accountability when it comes to ePHI. While there isn’t a one size fits all approach for conducting an SRA, there are guidelines. The Department of Health and Humans Services (HHS) identifies criteria that will meet the SRA requirement. Working with a company such as HIPAA Secure Now will ensure that you meet the expectations of the HHS and mitigate your risk of a violation.