Many small providers think that they are exempt from conducting a risk analysis in order to meet Meaningful Use Stage 2 (MU 2) requirements and receive incentives. However, if a provider is a "covered entity", this is not true. Under the Health Insurance Portability and Accountability Act (HIPAA), a risk analysis is required to receive incentive payments. A true risk analysis has many components and there are free guidelines out there, such as: NIST SP 800-30 - http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf and http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/SecurityRiskAssessment_FactSheet_Updated20131122.pdf What does a risk analysis include? "The scope of risk analysis that the Security Rule encompasses includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits." (45 C.F.R. § 164.306(a).) Electronic Protected Health Information (e-PHI) in all forms, from computer hardware to wireless printers, must be taken into account in regards to how it is created, received, maintained or transmitted. Once all of the e-PHI has been identified, the provider then must identify and decide on the likelihood of a vulnerability or threat, the impact of that threat and the level of risk associated with that threat. If you have recently implemented a new or upgraded Electronic Health Records (EHR) system, do not assume that a risk analysis was included. EHR vendors are under no obligation to make their software HIPAA compliant. It is not a requirement of a provider to outsource their risk analysis. And, while the free guidelines can be helpful, sometimes peace of mind can be achieved by having an outside source start your risk analysis program for you and guide you in future documentation and updates. If the Office for Civil Rights (OCR) audits an organization, they will [...]The post Bona Fide Risk Analysis or "just doing it to get the incentives". appeared first on Sentryworx.
