Top 10 Myths of Security Risk Analysis (Part 1 of 10) – Optional for Small Providers?
In this 10 part series we will explore the top 10 myths of Security Risk Analysis and how they potentially impact you as a covered entity.
Myth #1: The Security Risk Analysis is optional for small providers.
This is absolutely 100% false. All providers who fall in the category of “covered entities” are in fact required to perform a risk analysis. Not only are they required to do this but this is nothing new… Risk Analysis has been part of the HIPAA Security Rule since 2003 and is something that medical practices should have been doing all along. If you are going after Meaningful Use incentive money it is also a requirement (Core Objective 15). I think one of the reasons many providers believe this to be optional is tied to the fact that many practices are not going after Meaningful Use money and are unaware that it is a requirement under HIPAA.
To be clear, the guidelines provided by the Office of Civil Rights (OCR) point out that this is not a black and white process as they don’t prescribe a specific methodology and they recognize that the methods will vary based on the size, complexity, and capabilities of the organization.
Risk Analysis Requirements under the Security Rule:
Conduct an accurate and thorough assessment that looks for risk and vulnerabilities as it pertains to the confidentiality, availability and integrity of electronic health information in the custody of named provider. As part of the analysis the following are potential outcomes of conducting this risk analysis:
- Protect PHI from costly data breach
- Meet Stage 1 and 2 Meaningful Use for Covered Entities
- Raise Employee IT Security Awareness
While having the security analysis done by a 3rd party is not required the complexities of the analysis make doing this on your own difficult and it is our recommendation that you engage a company that specializes in performing a HIPAA Security Risk Analysis which should cover the following three risk management components:
- Evaluation and assessment, to identify assets and evaluate their properties and characteristics.
- Risk assessment, to discover threats and vulnerabilities that pose risk to assets.
- Risk mitigation, to address risk by transferring, eliminating or accepting it.
Why Untangled Solutions?
Since 2009 Untangled Solutions and its world class team of IT Security experts have been performing security, privacy and breach vulnerability assessments for covered entities all over the United States. You can count on Untangled Solutions to provide you with a complete book of evidence and we are 100% committed to your success.