You might be aware that all practices need to complete a ‘Security Risk Analysis’ as a part of their HIPAA compliance program, but do you know exactly what this analysis covers? While this is the first step and among the most important aspects of a complete HIPAA program, it is often missed or not properly completed – in fact, during the latest round of OCR audits, 83% of covered entities could not show a properly documented Security Risk Analysis for their practice. 

The HIPAA Security Rule defines a Security Risk Analysis (SRA) as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information held by the covered entity or business associate.” In layman’s terms, the risk analysis is a systematic review of your processes and policies that is ultimately designed to shed light on any aspects of your practice that could be considered weaknesses in protecting the privacy and security of your practice and the protected health information (PHI) it holds. Not having a properly documented analysis leaves potential risks unidentified and is a huge red flag for your overall compliance efforts.

What questions does an SRA need to include? There is no specific checklist to follow when it comes to performing a risk analysis for your practice. The OCR does however provide specific elements that should be included. Your assessment should: 

• Assess current security measures used to safeguard PHI
• Identify where PHI is stored, and how it is received or transmitted for the full scope of your practice. This includes accounting for all areas from your electronic medical records system to your patient billing systems.
• Assess whether the current security measures are used properly
• Determine the potential impact of a breach of PHI
• Assign risk levels for vulnerability and impact combinations
• Identify and document potential threats and vulnerabilities
• Document the assessment and take action where necessary

Completing a risk analysis for your organization is not just a one-time thing. Assessments should be reviewed periodically, especially as new work processes are implemented or technologies are updated. After events such as COVID-19, addressing any changes your practice made regarding remote operations, utilizing telehealth services, or receiving/providing more information electronically rather than in a physical exchange are all things that will need to be addressed for any additional vulnerabilities or threats they brought on. 

What’s the best way to tackle an SRA? If your organization hasn’t completed an SRA before or has done so in a more basic or incomplete manner, using an outside organization will help to ensure all areas of the SRA are fully completed and documented accordingly. A third party can also help add new areas and questions to the SRA that reflect changing regulations as well as technology enhancements that present new threats or vulnerabilities to your organization.