Do you need to conduct an electronic health information security risk analysis (SRA) or review of your practice before the end of the year)?
The answer may be yes if:
- You participate in the Merit-Based Incentive Payment System's (MIPS) Promoting Interoperability program. An annual security risk analysis is required.
- You are covered by HIPAA or Texas privacy and security laws, and you’ve never performed a risk analysis of your practice. In that case, you are out of compliance and need to take action immediately. Following the analysis, you must create and follow a risk management plan, i.e., written policies and procedures to correct areas of vulnerability, including staff training. Refer to these U.S. Department of Health and Human Services (HHS) resources:
Intersection of HIPAA and MIPS/Promoting Interoperability Risk Assessments
Your HIPAA security risk analysis must be ongoing. The HIPAA Security Rule requires that you update and document your security measures “as needed.” This means regularly reviewing and updating your risk management plan whenever you introduce new technology into the practice or make other changes that could affect electronic protected health information.
The frequency of reviews will vary among practices. Some might perform them “annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment,” says HHS.
Participating in the MIPS’ Promoting Interoperability category requires that you update you security risk analysis annually.
As you identify security gaps, be sure to create an action plan, with a time line, to address those gaps. If you are audited, it is important to produce not only your security risk analysis documentation but also the plan you have in place to address gaps.
These TMA resources provide information and help:
If you have questions, contact the TMA Knowledge Center at (800) 880-7955 or knowledge[at]texmed[dot]org.
TMA Practice E-Tips main page
Last Updated On
August 07, 2023
Originally Published On
October 19, 2017