Conducting a security risk analysis is a required measure for all HIPAA covered entities. Eligible professionals must conduct or review a security risk analysis for each reporting period to ensure the privacy and security of their patients’ protected health information.
The latest HIPAA Audit Program results found that 83% of covered entities failed to perform an adequate SRA. Additionally, 94% failed to establish or maintain an information security risk management plan. Failure to perform a risk assessment or conducting an insufficient risk assessment is the leading cause of failing a HIPAA audit.
If you are a healthcare provider that accepts Medicare, then you have likely seen and heard the acronyms MACRA, MIPS, and EHR hundreds of times in 2017.
You may have chosen to attest to MIPS for the entire calendar year, or perhaps you are gearing up to begin reporting in the final 90 days of 2017. You also may have chosen to begin reporting in 2018. Whichever path you have selected, are you aware that before medical practices participate in MIPS they must prove that patient health information contained in EHR and elsewhere in their practice is protected by performing a security risk assessment (SRA)?