HIPAA requires organizations that handle PHI (protected health information) to regularly review administrative, physical and technical safeguards they have to protect the security of patient information. By performing risk assessments or analysis, entities can uncover potential weaknesses and vulnerabilities in their policies, processes and systems. These assessments are ongoing and must be completed regularly as entities are in constant change.
Here are some myths about performing these assessments
Security Risk Analysis is optional for small providers: False
ALL providers, healthcare or otherwise that handle PHI are required to perform risk analysis
Simply installing and using an EHR compliant system fulfills the security risk analysis: False
Risk analysis must be performed to address all aspects of your system, not just the information contained in your EHR software.
My EHR vendor took care of everything I need to do about security: False
Your EHR vendor may be able to provide information, assistance and training but they are not responsible for making their products compliant with HIPAA – it is solely the responsibility of the entity to have a complete risk analysis conducted.
A checklist will suffice for the security risk analysis: False
Checklists are tools than can be useful but fall short of comprehensive and clear documentation on what risks exist and how they are being addressed.
There is a specific risk analysis everyone must follow: False
A risk analysis can be performed in countless ways as long as they address all three areas – administrative, physical and technical
I only need to do the risk analysis once: False
Full HIPAA compliance requires that you must review, correct, modify and update security protections. This can only be done by routinely reviewing systems in place and making changes when appropriate.