Is it time to perform a security risk assessment at your practice?
I know what you’re thinking: It sounds about as fun as a root canal.
Maybe for some people! I love digging into all things compliance, and it’s what I’ve built my career around. But I’m also keenly aware that, when your main focus is delivering excellent patient care and running a high-growth practice, keeping up with the requirements of an SRA can be a tall order.
That’s why I’m here: to share a realistic, six-step plan for taking the lead on your practice’s security risk analysis, and explain why (thanks to some brand-new regulatory updates) it’s more important than ever to get it done right.
Understanding the Purpose of Security Risk Assessments
If you’re with me so far, you might know that Security Risk Assessments (SRAs) are a crucial requirement of HIPAA (Health Insurance Portability and Accountability Act) compliance. This requirement is laid out in the HIPAA Security Rule, which states that covered entities and their business associates must:
💡 45 C.F.R Section 164.308(a)(1)(ii)(A)
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the [organization].
Even though it’s not a revenue-driver or patient-facing process, conducting regular security risk assessments is a major benefit to healthcare practices, as a framework for:
Identifying vulnerabilities and threats. Failure to identify and prevent these threats could lead to unauthorized access, use, disclosure, alteration, or destruction of ePHI.
Risk management. HIPAA’s Security Rule requires covered entities to maintain reasonable and appropriate administrative, physical, and technical safeguards for protecting ePHI.
Compliance and enforcement. Regular SRAs are not just a proactive measure for data protection; they are also a legal requirement under HIPAA.
Continuous improvement. SRAs provide a mechanism for organizations to regularly review and update their security practices and policies in response to new threats, technologies, and changes in how ePHI is stored, processed, and transmitted.
Components of a Security Risk Assessment
One myth about completing a security risk assessment is that there’s a specific way to do it that every practice must follow.
That’s not exactly right. The Office For Civil Rights (OCR), the enforcement agency for HIPAA, has released Guidance on Risk Analysis Requirements Under the HIPAA Security Rule, training materials, and even a risk assessment tool for covered entities, which I’ll cover shortly.
Within the “flexibility” of the Security Rule, there are still many administrative, physical, and technical implementation specifications that entities must assess.
That said, the actual process of performing an SRA will look a little different for each entity, based on the tools and the teams involved. In the next section, I’ll share a 6-step framework that can turn your SRA from daunting to achievable.
6 Important Steps for Completing Your Practice’s SRA
So, how can you make the data collection, risk assessment, and documentation processes easier on your team? I suggest breaking it down into six actionable steps:
1. Set Your Budget and Tools
There are many tools on the market for completing an SRA—and some are better than others. You could spend weeks researching these tools before you arrive at a solution.
If you do have a budget for a specialized tool or a consultant, make sure you find resources that reference the HIPAA regulations. And keep in mind: No matter how fancy the tool or how expensive the consultant is, you and your team will still have to be involved in the SRA process.
If you don’t have a budget or the time to research the many options on the market, you can use the free HIPAA Security Risk Assessment Tool released by the Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR).
I have used the HIPAA Security Risk Assessment Tool and have found it to be an economical and efficient method for assessing security risks. Here’s how it works:
About the HIPAA Security Risk Assessment Tool
The HIPAA Security Risk Assessment Tool “is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule. The target audience of this tool is medium and small providers; thus, use of this tool may not be appropriate for larger organizations.”
The Tool downloads to and stores its data locally on your device. You can add other users to the tool to allow collaboration. The tool will walk users through the various risks associated with operating a healthcare practice.
At the end of the SRA, you can download and save a report to your practice’s drive. You can then use the report to create a project plan for mitigating your risk. The video below can help you determine how to use the tool, as well as the resources needed for completing the SRA.
OCR continues to update the tool. You can find more information on the HealthIT.gov website, watch SRA webinars, or read these presentation slides.
2. Don’t Go It Alone
Completing the SRA takes a team. If you are the compliance officer, part of your practice’s IT team, or both, you’ll need help completing the SRA.
Recruit other members of your team, especially those team members who handle the business associate agreements, IT assets, and the physical security of your facilities. Teammates can hold each other accountable and you can do more while delegating tasks.
3. Create a Timeline
Completing the SRA is not a part of your practice’s typical daily workflows, so if you don’t carve out time to work on it, it will never get done.
Depending on the size of your practice, completing your first SRA may take a month or more of consistent and daily work. Plan regular meetings on your team’s calendar and establish deadlines. Stick to your deadlines and work through any barriers that emerge.
Keep in mind: There’s a light at the end of the tunnel! Completing your practice’s first SRA will be the biggest hurdle, and subsequent years will involve maintenance and review of any major changes.
4. Organize Your Materials and Reports
No matter which tool or resource you chose for the SRA, plan a project kick off that reviews everything you’ll need for success, like your assessment tool and all the documents and other information needed to get started.
If you’re proactive, you can start gathering all your materials before you launch the assessment, to save yourself time and headaches.
Small Efforts All Year = Lighter Lift Next Time
The best way to stay on top of deadlines is to maintain your security program throughout the year. Update your business associate tracking list regularly. Create a version control strategy for updating your policies. Keep an IT asset tracking list. Retain all security program data in a central location.
This strategy will make it much easier when your next annual assessment comes around.
💯 Practical Advice
Make sure to download and securely store your SRA documentation. HIPAA requires you to retain all compliance documentation for 6 years. If you are audited, you should be able to quickly produce your report and remediation plan.
5. Complete the Process and Celebrate Your Accomplishment
Completing the SRA is a huge accomplishment! Celebrate it in your practice and use the opportunity to train your staff about the compliance requirements for completing an SRA.
6. Stay Ahead of Deadlines by Scheduling Your Next SRA
Completing the SRA is like preparing your taxes or changing your oil. It is not a fun or easy task and one can easily succumb to procrastination. Schedule time right now for your annual SRA to make sure you are meeting requirements for HIPAA compliance and Quality Payment Program participation.
Common Challenges in Risk Management and Assessment
Main challenges or barriers to compliance with the HIPAA security risk assessment requirement include:
Cost. Tools for conducting the SRA are limited and many are expensive.
Complexity. The regulation requirements are broad and the task can seem insurmountable. Finding a good consultant will take time, expense, and still require your team to support the project.
Time. Scheduling the SRA annually, pulling in your team’s resources to complete it, and project managing your risk remediation efforts requires extraordinary self-discipline and well-organized security policies and procedures.
We’ve already laid out a framework for successful completion of your SRA. But you might be wondering: What happens if you don’t complete it? I’ll dig into the details here in a second, but the short answer is: Don’t find out the hard way!
Consequences of Not Conducting a Risk Assessment
Neglecting to complete security risk assessments in healthcare can lead to significant consequences, including financial penalties and embarrassing public announcements. Trust me, you don’t want to be in that position!
How Investigations Are Conducted
Investigation of HIPAA breaches is the responsibility of the Office For Civil Rights. If an OCR investigation finds that an SRA has not been performed, was not being performed regularly, or was not comprehensive enough to accurately assess risk to security systems, the Office will issue a financial penalty.
Security Assessments and OCR Audits
Over the years, missing and insufficient SRAs have been a large source of monetary recovery for the OCR.
In the past, OCR adopted a reactive approach to identify missing SRAs. If a HIPAA covered entity or its business associate experienced a data breach, privacy violation, or if OCR received complaints about the entity, OCR would investigate the entity.
However, penalties for HIPAA violations are on the rise, and 2023 was a record-breaking year. Just read through the OCR’s Wall of Shame to see all the HIPAA breaches that have occurred in the past few years. Many of the practices cited on the website were missing their SRAs, and will soon be sanctioned with steep penalties for not complying with HIPAA.
For additional context, I’ll share a bit more about the role of Security Risk Analysis in Medicare participation—a big factor in the rise of SRA enforcement.
Medicare Participation and Security Risk Assessments
The odds that a given practice will face an OCR audit may increase this year with new Final Rule updates to the MIPS program. Here’s why:
As of January 1, 2024, The Center for Medicare and Medicaid Services (CMS) now requires all eligible clinicians* who report traditional MIPS or MIPS Value Pathways to participate in the Promoting Interoperability (PI) category for the MIPS program.
And one key requirement of Promoting Interoperability is the Security Risk Analysis Measure, which officially reads:
💡 Security Risk Analysis
Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified electronic health record technology (CEHRT) in accordance with requirements in 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), implement security updates as necessary, and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.
In layman’s terms: Attesting YES to this measure essentially states that your practice has completed the SRA.
While the requirement is simply to answer YES or NO, it’s not a good idea to fudge the answer in order to meet PI requirements. The OCR may request documentation or CMS may conduct an audit, and if you cannot produce evidence of your risk assessments promptly, the penalties are steep.
*The exemption remains for social workers and small practices under 15 clinicians, whose PI score will be automatically reweighted.
What Could Happen If a Practice Falsely Attested to the SRA Measure?
Ideally, this wouldn’t be an issue. But in reality, mistakes (and fraud) do happen. The consequences that follow can really hurt a practice’s revenue and reputation. For example, here is a plausible scenario:
A MIPS eligible provider submits their performance data for 2024. The provider’s performance data, including data related to the PI category, earned points above and beyond the performance threshold. As a result, the provider earns a MIPS incentive for the 2026 payment year and enjoys a healthy payment increase!
Later, CMS begins auditing the providers who earned incentives to confirm compliance with the MIPS program. The provider receives a letter requesting their SRA for the performance year of 2024. If the provider cannot produce the SRA, CMS will seek recovery for the incentive payments. Ouch!
In addition to its own penalties, CMS refers the provider’s case to OCR and the Department of Justice (DOJ), who conduct an audit of the provider’s HIPAA compliance and investigate potential False Claims liability, respectively. If the DOJ determines the provider did submit a false statement to CMS by attesting to completing the SRA when the provider had not done so, the DOJ will seek triple damages and the provider could be excluded from participating in government programs, such as Medicare and Medicaid.
This might sound like a worst-case scenario, but it’s the reality for organizations that take the risk of noncompliance and submit false claims to a government entity.
Takeaways and My Top Advice
The biggest takeaway here is that completing your SRA is not only a requirement, it’s a highly valuable and completely achievable process!
But let me share one last piece of advice for the road: Your EHR and practice management platform can make all the difference when it comes to efficiently managing your ePHI and maintaining airtight compliance practices.
At Raintree Systems—provider of rehab therapy’s only ONC-certified EHR—we design every solution with a commitment to scalable processes, security, clinical efficiency, and industry-leading compliance standards.
I know my team would love to talk with you, and that you’ll get a lot out of the conversation. Schedule a demo and learn why high-growth PT, OT, SLP, and multi-disciplinary practices choose Raintree.
Veda Collmer, JD, CIPP/US, Raintree Systems’ General Counsel, Chief Compliance Officer, brings more than 10 years of experience in health law, privacy and compliance. Veda received the Robert Wood Johnson Foundation Public Health Law Fellowship in 2012 and completed her fellowship at the Arizona State University Sandra Day O’Connor College of Law.
