10 Myths of Security Risk Analysis Debunked

The HIPAA Security Rule requires organizations subject to HIPAA to conduct a Security Risk Analysis (SRA) to identify, address and mitigate risks to protected health information (PHI). The Office of the National Coordinator (ONC) published a list of ten common myths related to the SRA process. We’ve expanded on the ONC’s prior list, providing additional guidance from our experience working with numerous healthcare data experts across the United States. As many organizations seek to understand the SRA process, they may want to keep the following tips in mind.

“The Security Risk Analysis is optional for small practices”

Myth! All organizations subject to HIPAA (both covered entities and business associates) are required to perform a Security Risk Analysis in accordance with the HIPAA Security Rule. There is no exemption for small practices.

“Installing a certified EHR fulfills the Security Risk Analysis MU or MIPS requirement”

Myth! Even with a certified Electronic Health Record (EHR) platform, you must perform a full Security Risk Analysis to meet HIPAA, Meaningful Use (MU), and Merit-Based Incentive Payment Systems (MIPS) requirements. Security requirements address all protected health information you maintain, not just what is in your EHR.

“My EHR vendor took care of everything I need to do about privacy and security”

Myth! Your EHR vendor may be able to provide information, assistance and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules for you. It is solely your responsibility to have a complete Security Risk Analysis conducted.

“I have to outsource the Security Risk Analysis”

Myth! It is possible for small organizations to do Security Risk Analysis themselves using self-help tools. However, doing a thorough and professional Security Risk Analysis that will stand up to a compliance review or Office of Civil Rights (OCR) audit will require expert knowledge which can be obtained through services of an experienced outside professional. Interested in assistance? DataFile can help!

“A checklist will suffice for the Security Risk Analysis requirement”

Myth! Checklists can be useful tools, especially when starting a Security Risk Analysis, but they fall short of performing a systematic Security Risk Analysis or documenting that one has been performed.

“There is a specific Security Risk Analysis method that I must follow”

Myth! A Security Risk Analysis can be performed in countless ways, as long as it meets the regulatory requirements of a SRA. Health and Human Services (HHS) has issued Guidance on Security Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure PHI.

“My Security Risk Analysis only needs to look at my EHR”

Myth! Review all electronic devices that store, capture or modify electronic protected health information, and also consider any paper PHI. The SRA process is not just limited to electronic sources of PHI but should include physical PHI as well. Include your EHR hardware and software and devices that can access your EHR data (i.e., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data!

“I only need to do a Security Risk Analysis once”

Myth! To comply with HIPAA, you must continue to review, correct or modify, and update security protections. If participating in Meaningful Use or MIPS, a SRA must be conducted for each reporting period.

“I must fully mitigate all risks identified right now”

Myth! Organizations should address all risks identified as part of a Work Plan and work to correct them over time as reasonable and appropriate within the confines of the regulations.

“Each year, I’ll have to completely redo my Security Risk Analysis”

Myth! Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. This does not need to mean your organization needs to start from scratch; however, it is advised that organizations should still conduct a thorough review. Under the Meaningful Use and MIPS programs, reviews are required for each reporting period.

Need Assistance with a Security Risk Analysis?

DataFile can help! We know the Security Risk Analysis process can take a significant amount of time and resources to conduct it in house. Our Security Risk Analysis service differs from others on the market because a team of experienced and dedicated experts will complete your SRA for you!

After completion and review of an organizational profile to learn more about your organization, the SRA team conducts an informational phone interview with you to gather the information they need to document the responses required for your SRA documentation. This interview process leaves the “heavy lifting” to our team, alleviating your staff time and responsibility. The result is quality and in-depth documentation backed by years of experience.
As part of the process, the DataFile SRA team addresses administrative, physical and technical safeguards, ultimately outlining opportunities for improvement and associated risk levels. Through a secondary review call, our team provides suggestions for addressing any identified deficiencies. Additionally, as the Security Risk Analysis often relies on what is documented as part of an organization’s policies and procedures, the DataFile team produces 18 semi-customized policies for your organization.

Save staff time and be confident in the quality of your SRA. Contact us today to learn more and receive a custom quote!


Security Risk Analysis: It’s Not Black and White

young-wife-old-mother-b-and-w-iamge-for-sra-analysis-blogIt’s that time of year again! The air is crisp, the leaves are changing colors and Halloween is right around the corner. In healthcare, the season change also provides us with another reminder – have we completed our annual Security Risk Analysis before year-end?

In 1915, W. E. Hill published the famous cartoon “My Wife and Mother-in-Law” with the caption, “They both are in this picture — find them!” This optical illusion is known for its two distinctive faces. When most look at this image, they immediately make out one of the faces. Which one do you see?

Similarly, when you look at your Security Risk Analysis (SRA) documentation, do others see what you see, or is their impression different than yours? HIPAA tells us that an annual SRA is required. In the past, many healthcare organizations have looked at the SRA as just another task to check off a checklist to be compliant. However, in light of recent Office of Civil Rights (OCR) audits and fines, the Security Risk Analysis cannot be devalued. The SRA is meant to serve as an evaluation of your compliance with various administrative, physical and technical safeguards pertaining to both the Privacy and Security portions of HIPAA. Unfortunately, this process is not “black or white.” It is notoriously vague, sometimes creating different impressions of what is acceptable for a strong SRA. As such, healthcare organizations are often confused or do not appropriately document what should be captured in the SRA. Organizations can often fill-in-the-blanks verbally if asked a question, but many times they overlook capturing those small — but important — details on paper where it really matters.

Does your Security Risk Analysis documentation tell the whole story? Or will a bystander (like the OCR) be left to make their own impression of the image you’ve created? Utilize a second set of experienced eyes to know if everyone will have the same impression relying on the snapshot of your documentation. Some third-parties are extremely proficient in HIPAA and have an ability to “read between the lines.” Some can help you capture those verbal responses and ensure your documentation is complete in case the OCR does come knocking at your door. Don’t leave your Security Risk Analysis documentation up to interpretation, verify that your SRA accurately and comprehensively captures your organization’s Policies and Procedures.

By the way, if you are having trouble with the above image, the “wife” in the cartoon can be spotted by looking to find her eyelashes and nose on the left side of the image. Imagine her chin is a nose and her necklace is a mouth to spot the “mother-in-law.” Two different perceptions from one image!


Need help completing your Security Risk Analysis for 2016?  DataFile provides a comprehensive HIPAA compliance portal solution which includes a SRA. Contact Kathryn Ayers Wickenhauser at Kathryn.Wickenhauser@DataFileTechnologies.com for a customized quote based on your total number of employees (including providers).


Recent News Reinforces the Importance of a Comprehensive Security Risk Analysis

Sometimes healthcare regulations can seem like a moving target, constantly evolving and changing as we work to keep up with our increasingly connected world.  Even in an environment of change, there are some constant trends, including the importance of protecting patient privacy and rights through an annual review of compliance with the HIPAA Privacy and Security rules, more commonly referred to as a Security Risk Analysis (SRA).

As healthcare becomes more technologically advanced, more emphasis is being placed on the importance of conducting a comprehensive SRA.  In fact, recent Office of Civil Rights (OCR) audits will specifically review the SRAs of both Covered Entities and Business Associates.  In June, Catholic Health Care Services of the Archdiocese of Philadelphia (a Business Associate) was fined $650,000 by Health and Human Services (HHS) for failure to conduct an “accurate and thorough” SRA.  Just this month, we saw HHS issue a record $5.5 million fine to Advocate Health Care Network in part because of failure to conduct an appropriate Security Risk Analysis.

Jocelyn Samuels, Director of the OCR, emphasized the importance of a robust Security Risk Analysis, stating “We hope this settlement sends a strong message to Covered Entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.  This includes implementing physical, technical and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”

What’s your liability limit?  Are you willing to accept penalties of $650,000?  Or $5.5 million as we’ve seen in these cases for failure to complete a strong SRA?  Many organizations conduct their SRA in house in an effort to check off a box to meet Meaningful Use program requirements.  But is that the best option for you given the importance of compliance?  As healthcare data experts, DataFile Technologies offers a comprehensive HIPAA compliance solution, which includes a team of experts conducting your Security Risk Analysis for you.

If you’d like to learn more about the DataFile Security Risk Analysis solution, please email Kathryn Ayers Wickenhauser, our Meaningful Use / HIPAA Compliance Consultant at Kathryn.Wickenhauser@DataFileTechnologies.com.  Kathryn will provide a customized quote based on your total number of employees (including providers).

Webinar Recording Available: “The OCR Audits are Coming”

Did you miss today’s webinar? No fear, the recording is available for your reference as we look ahead to upcoming OCR Phase Two Audits!audit

Keep in mind, the Office of Civil Rights (OCR) Phase Two Audits don’t have to be scary! The OCR has been fairly transparent about what these 200+ audits over the next six months will look like. The awareness of these Phase Two Audits picked up steam on May 20th, 2016 as more than 12,000 healthcare entities were contacted to verify their primary contact information.

The OCR is using the email address OSOCRAudit@hhs.gov to reach out to healthcare entities to verify contact information.  If your organization has not received an email yet, continue to watch your spam filter to ensure you do not miss communication.

Have questions?  Looking for additional guidance?  We offer services to help prepare you if your organization is selected! Learn more or contact us at Education@DataFileTechnologies.com

Ready to hear more about these Phase Two Audits from Kathryn Ayers Wickenhauser? Please access the webinar by completing the form below:

Webinar: The OCR Audits are Coming

Recording from June 6th, 2016

Have You Met Your Year-End HIPAA Requirements?

calendar-660670__180There are just a Few Days Left to Schedule and Complete Your Annual Security Risk Analysis for the 2015 Calendar Year 

With the introduction of the Meaningful Use Pay-for-Performance program in 2011, many healthcare organizations noted that they were required to perform an annual Security Risk Analysis (SRA) to meet the required objectives.  However, it is a misnomer that Security Risk Analysis is only required by Meaningful Use.

An annual Security Risk Analysis is required to be conducted or reviewed under HIPAA regulations (CFR 164.308(a)(1)(ii)(A)).  This means, in order to be HIPAA Compliant, healthcare organizations (including Business Associates) should analyze their Policies and Procedures in relation to outlined Administrative, Technical and Physical safeguards on at minimum an annual basis.

Why does this Security Risk Analysis matter?  In a world that is increasingly connected and more and more information is stored electronically, it is critical that healthcare organizations assess and understand their risks related to Patient Health Information (PHI).  At the beginning of 2015, the Office and Civil Rights (OCR) and Health and Human Services (HHS) announced they would begin HIPAA Audits of Covered Entities and Business Associates.  A key component of the audit will be the strength of an organization’s Security Risk Analysis.

Lahey Clinic in Texas failed to conduct a Security Risk Analysis and then had a laptop stolen from their premises.  As a result, last month (November 2015) HHS deemed that Lahey would be required to pay a fine an $850,000 fine and is subject to a corrective action plan, which includes a properly conducted SRA.  This is not uncommon – another major fine announced in November, included Triple-S Management Corporation and their associated entities.  Triple-S is required to pay a $3.5 million fine for lack of a Security Risk Analysis.

Overwhelmed?  Don’t know where to begin?  Let us help you!

At DataFile Technologies, we take pride in cultivating and connecting Healthcare Data Experts.  As such, we provide a variety of healthcare solutions, including Security Risk Analysis and HIPAA tools to address the annual Meaningful Use and HIPAA requirements.

To guarantee the delivery of an annual Security Risk Analysis by the calendar year deadline of December 31, 2015 DataFile must receive a signed engagement letter and payment from your organization no later than Tuesday December 15th.

For a customized quote, contact our Meaningful Use and HIPAA Compliance Consultant, Kathryn Ayers Wickenhauser, at Kathryn.Wickenhauser@DataFileTechnologies.com or at 816-800-0074.

Meaningful Use or Meaningful Confusion? Part 3 of 3

medical-moneyThis is Part 3 of our Three-part Blog Series, “Introduction of Stage 3,” which outlines the objectives finalized for Stage 3 under the October 16, 2015 Final Rule.

Meaningful Use was introduced as part of the HITECH Act as a means to encourage healthcare providers to adopt electronic health records, and also begin to shift to additional quality care metrics. Yet, since Meaningful Use began in 2011, there have been many critics who assert that the program does not achieve the meaning in Meaningful Use.  As such, there have been multiple iterations of the rule and the various stages.  We will present to you the latest changes that you need to know in this three part blog post series.

Part three of the series, “Introduction of Stage 3” outlines the objectives finalized for Stage 3 under the October 16th Final Rule.  You can view Part One of our series, “Changes for 2015” here.  Part Two of our the series, “Changes for 2016-2017” can be viewed here.


Optional 2017 Reporting and Required 2018 Reporting

Stage 3 will be available for attestation in 2017, although it won’t be required as previously thought. Eligible Providers will be given the option of attesting to Stage 3 in 2017 for a 90 day reporting period.  In 2018, all Providers, regardless of what stage they were scheduled to be on, are to attest to Stage 3 Objectives for a calendar year reporting period.  The optional year in 2017 will allow providers to “test the waters” with a shorter reporting period and begin preparing for Stage 3 before they are required to implement it.


Eight Objectives

Unlike previous iterations of Meaningful Use, there are no Core and Menu Objective Sets, only required Objectives. Modified Stage 2 set the tone by absorbing previous measures into one set of measures, a precedent that Stage 3 will follow. Stage 3 features many measures from previous of versions of Meaningful Use, often with higher thresholds and less exclusions.


Stage 3 Objectives Summary

Objective 1 Protect Patient Health Information Conduct a Security Risk Analysis within the Reporting Period (RP)
Objective 2 Electronic Prescribing More than 60% of permissible prescriptions written by the Eligible Provider (EP) in the RP are queried for a drug formulary and transmitted electronically
Objective 3 Clinical Decision Support 1 – Implement five Clinical Decision Support Rules related to four or more Clinical Quality Measures
2 – Enable Drug-Drug and Drug-Allergy interaction checks for the entire RP
Objective 4 Computerized Provider Order Entry (CPOE) 1 – More than 60% of Medication orders during the RP are created through CPOE
2 – More than 60% of lab orders during the RP are created through CPOE
3 – More than 60% of radiology orders during the RP are created through CPOE
Objective 5 Patient Electronic Access 1 – More than 80% of unique patients seen by the EP during the RP are provided timely access to view online, download, or transmit their health records and can be accessed using the application of the patient’s choice
2 – More than 35% of patients seen by the EP in the RP receive patient specific education resources that were identified by the CEHRT and receive electronic access to those materials
Objective 6 Coordination of Care through Patient Engagement 1 – More than 10% of unique patients seen by the EP during the RP views online, downloads, or electronically transmits their health information or accessing their health information from an application of their choice
2 – More than 25% of unique patients seen by the EP during the RP are sent an electronic message using the secure messaging feature of CEHRT
3 – For more than 5% of unique patients seen in the RP by the EP, patient-generated health data or data from a non-clinical setting is incorporated into the CEHRT
Objective 7 Health Information Exchange 1 – For more than 50% of transitions of care and referrals, the EP that refers the patient should create and electronically exchange the summary of care record using CEHRT
2 – For more than 40% of transitions of care or referrals received by the EP where the EP has never encountered the patient, the EP receives and incorporates into the patient’s record an electronic summary of care document
3 – For more than 80% of transitions of care or referrals received by the EP where the EP has never encountered the patient, the EP performs clinical information reconciliation
Objective 8 Public Health and Clinical Data Registry Reporting 1 – Immunization Registry Reporting
2 – Syndromic Surveillance Reporting
3 – Electronic Case Reporting
4 – Public Health Registry Reporting
5 – Clinical Data Registry Reporting


Still confused? Do you need one-on-one guidance regarding your organization? We can help!  Please contact our Meaningful Use Expert, Kathryn Ayers Wickenhauser (Kathryn.Wickenhauser@DataFileTechnologies.com) for guidance about how these changes impact you.

Massachusetts Practice Takes a $1.5M Hit From New HIPAA Smackdown

The Office for Civil Rights appears to be sending a stern and serious message to practices nationwide as the first stage of Meaningful Use wraps up. Less than four months after the Alaska DHHS’s $1.7 million settlement we reported on in August, another practice has been slammed with a $1.5 million fine for a potential breach of the Health Insurance Portability and Accountability Act.

Two years after alerting the OCR of their own security breach in the form of a stolen laptop, Massachusetts Eye and Ear Associates Inc. and its associated hospital Massachusetts Eye and Ear Infirmary (collectively referred to as “MEEI”) have agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential HIPAA violations.

According to reports, the laptop did not contain patient billing information, and none of the patients in question appear to have experienced any negative side effects as a result of the theft. Regardless, it was enough for the OCR to launch a full investigation as they fell down the rabbit hole of deficiencies and overlooked security gaps in MEEI’s system, exposing them in the following areas:

  • Failing to conduct a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices
  • Failure to implement security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained and transmitted using portable devices
  • Not adopting and implementing policies and procedures to address security incident identification, reporting and response

The OCR investigation revealed that these failures continued over an extended period of time, “demonstrating a long-term, organizational disregard for the requirements of the Security Rule,” according to the OCR.

Despite MEEI’s reported “disappointment” in the OCR’s pricey ruling (based on “lack of patient harm” and the hospital’s relatively low annual revenues), the fine stands – and should serve as a reminder that even smaller practices are at risk for crippling fines if found in non-compliance.

We can only anticipate that these audits – and subsequent fines – will become increasingly more frequent and severe. If you aren’t 100% sure your practice would be safe and sound in the face of a scrutinizing review, DataFile can help. We specialize in securing practices with comprehensive security risk analyses and even the option to outsource medical records management including the full transfer of HIPAA liability under the HITECH Act. Make sure your practice doesn’t get caught with red hands. Call us at 816.437.9134 for a free consultation.

Analyzing Potential EMR Risks Could Mean Added Benefits

If your practice, like most of our clients’, has already switched to an EMR system, you probably know about the benefits of having an electronic system – records are more readily available, you can save time spent filing data by outsourcing, etc. But there are also a lot of risks associated with an electronic records system – more possibilities for data breaches, HIPAA violations and hefty fines.

If you haven’t completed Measure 15 for Meaningful Use, now’s the perfect time to confidently check that off your to-do list while ensuring you are operating a secure practice when it comes to your patients’ confidential information. Data suggests many practices haven’t run a risk assessment on their system in years, which could mean gaping holes that go unidentified.

A comprehensive security risk analysis has a thorough system of checks and balances that test and measure every possible security breach in your system, assessing your practice and identifying  possible issues. Once you recognize where your problems are, you can focus on ways to fix them.

Meaningful Use designates what a HIPAA-compliant, robust security risk analysis looks like, plus what it’s NOT:

•    A network vulnerability scan
•    A penetration test
•    A social engineering test
•    A configuration audit
•    A network diagram review
•    A questionnaire
•    Information system activity review

Though all of these things can be used in conjunction with other measures to add to a risk analysis, none on their own make the cut. Thinking about your security risk analysis now will save you a headache come Meaningful Use deadlines, when every practice that fell a little behind is scrambling to get everything done. And even if you’ve already attested for Stage 1 of Meaningful Use and think you’re in the clear, don’t forget that your yearly required security risk analysis is already right around the corner.

The security risk analysis offered through DataFile Technologies is specifically designed to be secure, accurate and comprehensive under these regulations. Additionally, getting your security risk analysis through DataFile is cost-effective, saving you the time of trying to figure it out on your own. Remember, investing in a quality security risk analysis costs far less than the fine you would face for not having one. SRAs are cost-effective, starting at $2,200 for practices seeking reassurance that Measure 15 is achieved and documented.


View Our Measure 15 Video

Staying Ahead of the EHR Incentive Program Game by Analyzing Security Risks

With the overwhelming amount of work that most clinics and practices face every day, sometimes it’s hard to plan past the next patient’s appointment time – much less start planning for a 90-day Meaningful Use attestation period that isn’t technically required for months. But with the last chance to begin the 90-day 2012 reporting period for the Medicare EHR Incentive Program rapidly approaching on October 3, getting ahead of the game is worth a little extra prep time.

Important Medicare Dates to be Mindful of:

  • October 1, 2011 – Reporting year began for eligible hospitals and CAHs.
  • January 1, 2012 – Reporting year began for eligible professionals.
  • May 2012 – EHR Incentive Payments began.
  • July 3, 2012- Last day for eligible hospitals to begin their 90-day reporting period to demonstrate meaningful use for the Medicare EHR Incentive Program.
  • September 30, 2012 – Last day of the federal fiscal year. Reporting year ends for eligible hospitals and CAHs.
  • October 3, 2012 – Last day for eligible professionals to begin their 90-day reporting period for calendar year 2012 for the Medicare EHR Incentive Program.
  • November 30, 2012 – Last day for eligible hospitals and critical access hospitals to register and attest to receive an Incentive Payment for FY 2012 under the Medicare EHR Incentive Program.
  • December 31, 2012 – Reporting year ends for eligible professionals.
  • February 28, 2013 – Last day for eligible professionals to register and attest to receive an Incentive Payment for calendar year (CY) 2012.

Although every measure designated by Meaningful Use is important to ensure you receive the maximum incentive payment, the easiest to evaluate – and therefore most heavily audited – is the security risk analysis. Essentially an audit in and of itself, the security risk analysis is more easily verified than other Meaningful Use Measures, which consist primarily of demographic information that can be time-consuming and costly to pull out of an EMR. Although every measure should be met accurately, focusing on the one that will almost surely be scrutinized is wise.

Getting your practice in order now can guarantee peace of mind come September, when most others will be scrambling to get their act together. Some unprepared practices may even get left behind. Waiting until the last minute can result in massive penalties (should you be audited and they find problems) since practice administrators are more likely to run into problems they don’t have time to fix and could end up unable to complete a security risk analysis at all by the deadline.

But beware of the “security risk analysis” that is inaccurate, incomplete or misleading. Questionnaires, network vulnerability scans, configuration audits or penetration tests, among many others, are NOT complete risk analyses under the requirements set forth by the HHS/OCR. According to an OCR-issued document regarding risk analysis requirements under the HIPAA Security Rule: “A Risk Analysis is the process of identifying, prioritizing, and estimating risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, … resulting from the operation of an information system.  Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.“

The Security Risk Analysis offered through DataFile Technologies is specifically designed to be secure, accurate and comprehensive under these regulations. Additionally, getting your Security Risk Analysis through DataFile is cost-effective, saving you the time of trying to figure it out on your own. Remember, investing in a quality Security Risk Analysis costs far  less than the fine you would face for not having one.

Avoid the end-of-the-year dash, and start planning for your Security Risk Analysis today.  We invite you to join us for an upcoming educational webinar, “Measure 15: Don’t Do It Alone!” on July 24 at 2pm CST, or by contacting one of our security risk analysis experts today.