Get Serious About Your Security Risk Assessment
With the end of the 2015 reporting year quickly coming to a close, it’s time to start thinking about conducting or reviewing your Security Risk Assessment (SRA). Congratulations and a job well done to those who are on top of their game and have already accomplished this task. For those who haven’t, you must complete an SRA no later than the date of your attestation and it must cover your EHR reporting period.
Not only can Medicaid recoup payment for providers who have not conducted a Security Risk Assessment (or for those falsely attesting to having conducted one), but the Office for Civil Rights (OCR) can also enforce penalties and are currently conducting desk audits. This means that you are not only open to recoupment of incentive payments, but civil and criminal penalties as well.
In September, Cancer Care Group, P.C. in Indiana was fined $750,000 for a data breach involving a stolen laptop. OCR’s subsequent investigation uncovered widespread non-compliance with the HIPAA Security Rule including a lack of an enterprise-wide risk analysis when the breach occurred in July 2012. An enterprise-wide risk analysis would have identified the potential risk items that lead to this breach, thus resulting in policies, procedures and trainings to prevent removal of unencrypted ePHI.
The HHS Office for Civil Rights and Office of the National Coordinator for Health Information Technology offer a Security Rule Risk Assessment Tool to assist organizations that handle protected health information to conduct a regular review of the administrative, physical and technical safeguards they have in place to protect the security of the information. The tool is available at: http://www.healthit.gov/providers-professionals/security-risk-assessment.