A Security Risk Assessment is Mandatory for Your Practice or Organization.

Avoid EHR and HIPAA Penalties by Hiring a Certified Professional to Handle Your Annual Security Risk Assessments. Click Here to Learn More.

Should We Buy a “Risk Analysis in a Box”?

The short answer is NO.

There are over 300 variables that can go into a security risk analysis and the information provided by CMS can be confusing.

It is always recommended to have a CERTIFIED professional do the audit for you and provide ongoing updates and consultation as rules and regulations change.

What Is a Security Risk Analysis?

To make a simplistic medical analogy, a security risk analysis is the examination and testing you do to assess clinical risk and diagnose a condition. Just as you use a diagnosis and other clinical data to plan treatment, you will use the risk analysis to create an action plan to make your practice better at protecting patient information.
Further, privacy and security are like chronic diseases that require treatment, ongoing monitoring and evaluation,
and periodic adjustment.

A security risk analysis is a systematic and ongoing process of both:

  • Identifying and examining potential threats and vulnerabilities to protected health information in your medical practice.
  • Implementing changes to make patient health information more secure than at present,then monitoring results (i.e., risk management).

The HIPAA Security Rule requires covered entities to conduct a risk analysis to identify risks and vulnerabilities to electronic protected health information (e-PHI). Risk analysis is the first step in an organization’s Security Rule compliance efforts. Following HIPAA risk analysis guidelines will help you establish the safeguards you need to implement based on the unique circumstances of your health care practice.
Risk analysis is an ongoing process that should provide your medical practice with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI. HIPAA requires that covered entities “implement policies and procedures to prevent, detect, contain, and correct security violations” by conducting “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by the [organization].”
Providers should develop a risk analysis that addresses these criteria by evaluating the impact and likelihood of potential breaches, implementing security features, cataloging security features, and maintaining security protections.
For more information, view OCR’s guidance on risk analysis.

  payday online loans

About Bryan Brothers

Bryan Brothers is a healthcare consultant with over ten years’ experience in the healthcare and insurance industries.

With a start in IT business and retail network development, the transition to electronic medical records and meaningful use consulting services was a natural fit.

Bryan is a member of AHIMA, HIMMS, and the NRHA.

He served on the advisory board of Jefferson Technical College’s HIT program. As member of the staff of the University of Kentucky’s Regional Extension Center, worked as a policy and implementation advisor as well as a security consultant. Bryan has served major clients such as lead advisor to Norton Healthcare, and Twin Lakes Medical Foundation and worked with many prominent groups in central KY such as Nephrology Associates of Kentuckiana.

As the former REC Administrator for University Health Care, Bryan brings experience and knowledge to the table as a trusted advisor and privacy and security expert. In 2012 Bryan was commissioned as a Kentucky Colonel by Governor Steven Beshear, the award being the highest honor awarded by the Commonwealth of Kentucky.

Bryan has worked with over 1100 providers, assisting with the achievement of meaningful use, and completion of the HIPAA privacy and security risk assessment.

When Bryan performs a HIPAA Security Risk Assessment, he includes the following:

HIPAA Security Risk Assessment
Security Risk Analysis based on HITECH requirements for MU
Includes review of Administrative, Technical & Physical safeguards
Remediation plan and timeline to eliminate or mitigate identified gaps
HIPAA compliant sample policies provided
Performed by AHIMA Certified HIPAA Privacy & Security professionals

Speak Your Mind