The Office of the National Coordinator for Health Information Technology (ONC) has published a list of the top 10 Myths of Security Risk Analysis. The complete list can be found here:
The first myth is one we get asked about all the time.
1.) The security risk analysis is optional for small providers.
False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.
No matter what the size of your organization you must perform a Risk Analysis / Risk Assessment. We gave more insight into the requirements of small providers
4.) I have to outsource the security risk analysis.
False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.
This myth is interesting. While it is not a requirement to outsource the Risk Analysis, ONC makes it clear that in the event of an audit it is best to have a professional organization perform the risk analysis.
8.) I only need to do a risk analysis once.
False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. For more on reassessing your security practices, please see the Reassessing Your Security Practice in a Health IT Environment (PDF)
The HIPAA Security Rule focuses on a Risk Management process. The Risk Management process is an ongoing cycle of performing a Risk Analysis, implementing additional security measures and then performing another Risk Analysis, etc. Best practices call for performing or updating a Risk Analysis annually.
We wrote an easy to understand guide to HIPAA Risk Assessments. Download our free paper below for more valuable insight.[framed_box bgColor=”#ffd390″]
Understand a HIPAA Risk Assessment
Organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information.
to better understand the HIPAA Risk Assessment process