Best Practices

August 13, 2021 HIPAA is kind of like a puzzle – without having each and every individual requirement in place, your practice can’t consider itself fully compliant. But much like building a jigsaw blindfolded, it’s a lot harder to piece together the big picture of compliance with all of the misconceptions out there masking what HIPAA’s requirements actually entail.  Now, the first piece in this so-called “HIPAA puzzle” is the Security Risk Analysis (SRA) which requires all covered entities to assess any potential risks and vulnerabilities to protected health information (PHI) based on the physical, technical, and administrative safeguards that their organization has in place. It’s essentially just a self-evaluation that helps lay the groundwork for a complete HIPAA program AND is the first thing a practice will be asked to provide in the case of an audit. But despite its importance, only 14% of entities actually fulfill the requirement – so what is causing this lack of compliance and why does the SRA seem like an unsolvable puzzle in itself? A large piece of the widespread noncompliance is all of the confusion that surrounds the ‘what, why, and how’ of the SRA. This is why in order to ensure all organizations know how to complete the first part of the big HIPAA puzzle, we need to break down the myths vs the facts.  Myth #1: Small practices and independent providers don’t need to worry about the SRA. False: All providers, no matter the size or specialty, are covered entities under HIPAA and are therefore obligated to perform a risk analysis along with all other requirements under HIPAA law. Myth #2: My Electronic Health Record (EHR) takes care of privacy and security, so I don’t need to complete an SRA. False: Even with a certified EHR, the risk analysis isn’t completed for you. The EHR vendor may provide information and training on the privacy and security aspects of their product but they are not responsible for privacy and security compliance within your practice. Additionally, an SRA involves all PHI within your organization, including what isn’t housed in your EHR like paper records and files.   Myth #3: My IT company handles a full SRA.  False: Similar to the confusion around your organization’s EHR, IT companies might help to assess technical safeguards and identify technical risks – but do not provide a comprehensive analysis of all aspects of your organization to cover the administrative and physical requirements.  Myth #4: I can use a templated checklist to complete my SRA.  False: While the government does provide some tools that can be used as helpful guidance for conducting an SRA, in order for the analysis to meet the requirements it must assess specific elements of your organization and practice operations which may differ from the types of things assessed in a template or generic checklist.  Myth #5: The SRA is a one-time thing and as long as I completed it once, I’m good to go! False: The HIPAA Security Rule specifically states, “the risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.” But although, your organization does need to be conducting an SRA on a continual basis – this doesn’t mean that each year you’ll need to start over from scratch. It’s important (and required) that you update your SRA annually at the very least as well as any time there are changes to your practice or systems to identify any changes in risks and maintain the necessary safeguards within your organization.  While we hope our little game of “myth busters” helped clarify any confusion around what goes into completing this requirement and why it’s so important, we know that it might’ve also caused some concern for how a small, independent practice is supposed to tackle all of this alone. Completing a comprehensive analysis (on an ongoing basis) along with the proper documentation and risk mitigation that’s required involves time, resources, and expertise that might seem unfeasible to a small or medium-sized organization. But luckily there are outside resources available to help debunk the other misconception that completing an SRA HAS to be challenging. So while your practice can tackle this requirement DIY-style, a software solution like Abyde makes it so you don’t have to – providing all the tools and support to guide you through the misconceptions and help to put the pieces into place so that your practice can easily complete the puzzle of HIPAA compliance. Schedule a one-on-one consultation today to see where your practice currently stands and how Abyde makes meeting the SRA – and all other HIPAA requirements – a breeze!