One of the most important aspects of complying with the HIPAA Security Rule is to perform a Security Risk Assessment, also known as a Security Risk Analysis, to evaluate how an organization is protecting patient data. Every organization covered by HIPAA (Covered Entities and Business Associates) must perform an SRA. According to the Office of Civil Rights (OCR), the HHS division that enforces HIPAA, the SRA is THE most important document in HIPAA compliance. It is the document that will first be looked at in any type of audit or investigation.
In addition to providing recommendations on how to reduce a data breach, the SRA process is widely considered to be the best practice in cybersecurity circles. Cybersecurity is an issue for all organizations to deal with, not just HIPAA covered entities. Many organizations that are not in the healthcare field conduct regular SRAs as a way of reducing risk in their business and helping keep their business systems operational.
How does it work? The SRA looks at all systems that contain electronically protected health information (ePHI or patient information). It evaluates all the threats to ePHI, looks at all vulnerabilities to the systems that contain ePHI and evaluates the current protections that are in place to protect ePHI. Based on all of the information that is gathered and evaluated the results of the SRA will show the areas of greatest risk of a breach, and provide a playbook (we call it the Work Plan) for how additional protection can lower the risk of a breach of patient information.
For many organizations, an SRA can be a time-consuming process. Let navitend make the process easier for you. Call 973.448.0070 ext 312 and ask for Patrice to start the process of your Risk Assessment today.
Contact us at 973.448.0070