By Kelly Benson and Arielle Van Peursem
The HIPAA Security Rule states that a security risk analysis (SRA) must be conducted regularly in the most appropriate way to achieve compliance, considering the characteristics of the organization and its environment. Even though this does not explicitly say “annually,” experts recommend performance of an SRA each year, at a minimum, mainly due to the rise in security concerns and threats during the past two years. This can be especially challenging for hospitals, physician practices, and medical groups.
The sole purpose of completing an SRA is not to check a box for the federal government, but rather to identify risks and vulnerabilities related to inappropriate access to protected health information. An SRA is also required due to a security incident, a change in ownership, turnover in key staff or management, and plans to incorporate new technology. Most organizations have experienced one or more of these occurrences in the past year. When you pair that reality with the increase in ransomware/phishing attacks that plague health care, completing an annual SRA should be your best practice for the privacy and security of patient information.
Merit-Based Incentive Payment System (MIPS)
To meet the promoting interoperability (PI) measure, MIPS eligible clinicians must attest “yes” to conducting or reviewing an SRA, implementing security updates as necessary, and correcting identified security deficiencies.
From another federal perspective, MIPS was implemented to encourage provider participation in value-based over fee-for-service care. Simply put, you need to score at or above 85% to qualify for the exceptional performance bonus when participating in MIPS. One of the four categories, “Promoting Interoperability,“ accounts for 25% of the overall score. Without an SRA, the entire category is thrown out. MIPS attestation is an annual occurrence, which has promoted the shift for the SRA to be conducted annually.
Changes coming to MIPS in 2022 make it impossible to achieve MIPS incentives without an SRA. It is important to note this for reimbursement and to acknowledge that the government is doing a lot to incentivize this security requirement. Finally, the MIPS requirement means a comprehensive, enterprisewide SRA that includes all three safeguards in the Security Rule (administrative, physical, and technical) and a risk management plan implemented to update security deficiencies identified in the SRA. As we have seen in audits, SRAs can be thrown out for not having a plan in place to mitigate the risks uncovered.
Can I Just Check ‘Yes’ on the SRA Box in the MIPS Attestation?
In theory, you could just check the “yes” box because submission of a physical report is not required. However, the long-term consequences of this shortcut outweigh the immediate relief of avoiding an SRA. In fact, the financial penalties associated with failure to perform a proper SRA regularly could put your practice out of business. Based on tiered penalties, the highest tier is $50,000 per record exposed, which is categorized as “willful neglect.” This indicates that you understand the requirement to perform an SRA but you choose not to comply, and then proceed to check the box anyway for reimbursement. Furthermore, penalties can look like a breach incident, in that a vulnerability is uncovered in an SRA without remediation to follow—if an organization believes the report is all they need to do.
Historically, outside of breaches, it has been easy for smaller organizations to fly under the radar with MIPS audits. However, several years ago Congress approved the use of penalty payment to hire more auditors. As a result, the sharp increase in penalties due to ransomware-related breaches has led to an increase in auditors and audits. These trends are shown on the HHS website, where all breaches of 500 records or more are posted.
Can My IT Staff or Vendor Conduct an SRA?
It seems logical for IT groups to conduct an SRA because of the natural overlap in security priorities. The expertise of trusted IT staff or vendors is critical to keeping bad actors out of your network. However, most IT staff are not trained in policy development and review. While they should contribute to the development of security policies, their job is not focused on developing and reviewing your “Minimum Necessary“ procedures.
If asked to perform an SRA, IT staff will likely conduct a technical audit, which is not a sufficient SRA. Technical audits are not considered sufficient by the Office for Civil Rights and leave the organization open to penalty. To ensure the SRA is comprehensive, there is value in having an objective third-party expert conduct this analysis.
Can I Simply Use the Free Spreadsheet Online to Do My SRA?
The online tool developed by HHS is an option. However, the tool is not sufficiently comprehensive to meet all HIPAA requirements. Though we are encouraged to see the government offering a solution to meet certain requirements, use of the tool does not mean your organization is “good” for the year. It’s a starting point that can help hospitals, physician practices, and medical groups walk through the SRA, but HIPAA requirements do not stop there. The free tool does not provide the following:
All these items are explicitly stated in the Security Rule for all covered entities and business associates. While the tool is helpful to get started, it is only one piece of a HIPAA compliance program. Your organization will benefit from solutions that address all HIPAA requirements to avoid additional work in multiple areas. At a minimum, MIPS-eligible providers should present a plan for gaining efficiencies, along with steps to implement that plan through clinical knowledge, innovation, and technology.
— Kelly Benson is solutions consultant at DeliverHealth.
— Arielle Van Peursem is national partner manager at Medcurity.