Why your Meaningful Use SRA is not enough
Many covered entities had a high level Security Risk Analysis (SRA) performed to "check the box" for meeting the Meaningful Use requirement. The HHS OCR has now performed enough audits, however, to know that a risk assessment isn't enough - Covered Entities need to take corrective action. With MACRA and HIPAA both requiring an SRA and HIPAA requiring a prioritized list of risks, corrective action plans, and a risk management process, it's time to have a proper risk assessment performed and take corrective action.
Proper Security Risk Analysis
You might ask, "What's a proper Security Risk Analysis?" It's a risk assessment that satisfies the following:
- Is based on the NIST SP-800 standard
- Addresses both cyber security and personnel issues to ensure ePHI is being adequately protected
- Interviews appropriate people about how they work with PHI, at rest and in motion
- Scores each question with a risk impact and risk probability
- Uses the scoring to prioritize the risks
- Creates a risk register (prioritized list) of issues (risks) that need to be corrected
Once you have completed a security risk assessment, you might ask, "Ok, so now that I have a prioritized list of risks, what do I have to do?" You must define the actions needed to correct each identified issue - then take action and track your actions electronically. As you correct issues, keep a log of who corrected it, when, and what was done.
What are the major issues you will likely have to correct?
- Provide current HIPAA training that includes cyber-security training for all employees that have access to ePHI.
- Provide current HIPAA officer training to the appropriate HIPAA officers (Privacy, Security).
- Create current customized HIPAA policies and procedures and train your staff on those policies and procedures. These need to be easy to read and understand by staff:
- Breach protocols and notification policy and plan.
- Customized contingency plan w/emergency response plan.
- Track each of your Business Associates (BA). Make sure you have a signed BA agreement and ask the BA for proof of HIPAA compliance.
- Maintain an electronic record of all of your HIPAA related actions, also referred to as the "book of evidence." You should be able to generate an SRA report and a compliance or status report on-demand and submit electronically to the OCR.
Repeat the SRA process annually - it is basically a risk management plan that will help your organization to manage risks and reduce liabilities.
Electronic Book of Evidence
It is VERY important to keep all of your information in electronic format. The OCR expects you to create and maintain an electronic book of evidence. This includes the risk assessment report, the scoring of each question, the risk register (list of issues), the corrective actions, any related actions, notes, and documentation, plus current HIPAA training that includes cyber-security, current HIPAA policies and procedures, and up-to-date business associate agreements that include documentation indicating that the BAs are being HIPAA compliant.
How to be Successful and Compliant
It's a major undertaking. Without a compliance management platform to automate much of the process and manage the documentation, it's very likely you and your team will fall short. This is why we invented CompassDB, a compliance management platform, that automates much of the work, reducing the effort by more than 65%.