With the introduction of the Meaningful Use Pay-for-Performance program in 2011, many healthcare organizations noted that they were required to perform an annual Security Risk Analysis (SRA) to meet the required objectives. However, it is a misnomer that Security Risk Analysis is only required by Meaningful Use.
An annual Security Risk Analysis is required to be conducted or reviewed under HIPAA regulations (CFR 164.308(a)(1)(ii)(A)). This means, in order to be HIPAA Compliant, healthcare organizations (including Business Associates) should analyze their Policies and Procedures in relation to outlined Administrative, Technical and Physical safeguards on at minimum an annual basis.
Why does this Security Risk Analysis matter? In a world that is increasingly connected and more and more information is stored electronically, it is critical that healthcare organizations assess and understand their risks related to Patient Health Information (PHI). At the beginning of 2015, the Office and Civil Rights (OCR) and Health and Human Services (HHS) announced they would begin HIPAA Audits of Covered Entities and Business Associates. A key component of the audit will be the strength of an organization’s Security Risk Analysis.
Lahey Clinic in Texas failed to conduct a Security Risk Analysis and then had a laptop stolen from their premises. As a result, last month (November 2015) HHS deemed that Lahey would be required to pay a fine an $850,000 fine and is subject to a corrective action plan, which includes a properly conducted SRA. This is not uncommon – another major fine announced in November, included Triple-S Management Corporation and their associated entities. Triple-S is required to pay a $3.5 million fine for lack of a Security Risk Analysis.
Overwhelmed? Don’t know where to begin? Let us help you!
At DataFile Technologies, we take pride in cultivating and connecting Healthcare Data Experts. As such, we provide a variety of healthcare solutions, including Security Risk Analysis and HIPAA tools to address the annual Meaningful Use and HIPAA requirements.
To guarantee the delivery of an annual Security Risk Analysis by the calendar year deadline of December 31, 2015 DataFile must receive a signed engagement letter and payment from your organization no later than Tuesday December 15th.
For a customized quote, contact our Meaningful Use and HIPAA Compliance Consultant, Kathryn Ayers Wickenhauser, at Kathryn.Wickenhauser@DataFileTechnologies.com or at 816-800-0074.