Security Risk Analysis for HIPAA — and Medicare/Medicaid?

Do you need to conduct an electronic health information security risk analysis (SRA) or review of your practice before the end of the year)?

The answer may be yes if:

  • You participate in the Medicaid meaningful use program. Conducting an SRA is a 2017 required measure of Stage 2 and Stage 3: Protect electronic protected health information.
  • You participate in the Merit-Based Incentive Payment System (MIPS) with the goal of earning an incentive. Security risk analysis is a required 2017 transition measure under the 2017 Advancing Care Information (ACI) reporting category.
  • You have chosen to avoid a MIPS penalty by submitting the bare minimum data, and you have chosen the ACI measure that requires a security risk analysis as one of the four or five measures for the base score (depending on your electronic health record edition).
  • You are covered by HIPAA or Texas privacy and security laws, and you’ve never performed a risk analysis of your practice. In that case, you are out of compliance and need to take action immediately. Following the analysis, you must create and follow a risk management plan, i.e., written policies and procedures to correct areas of vulnerability, including staff training. Refer to these U.S. Department of Health and Human Services (HHS) resources:

Intersection of HIPAA and MIPS/Meaningful Use Risk Assessments

Your HIPAA security risk analysis must be ongoing. The HIPAA Security Rule requires that you update and document your security measures “as needed.” This means regularly reviewing and updating your risk management plan whenever you introduce new technology into the practice or make other changes that could affect electronic protected health information.

The frequency of reviews will vary among practices. Some might perform them “annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment,” says HHS.

By performing and documenting this review annually, meaningful use incentive program participants meet the required measure for stages 2 and 3. The same applies to all MIPS participants meeting the ACI security risk analysis measure.

As you identify security gaps, be sure to create an action plan, with a time line, to address those gaps. If you are audited, it is important to produce not only your security risk analysis documentation but also the plan you have in place to address gaps.

These TMA resources provide information and help:

Do you need a clearer understanding of the Medicare Access and CHIP Reauthorization Act (MACRA), MIPS, and other Medicare rules and regulations? TMA’s popular annual Medicare update seminar is back. Register now for the half-day seminar, which runs Nov. 7-Dec. 7 at a city near you, or for the live webcast on Dec. 7. 

Published Oct. 19, 2017

TMA Practice E-Tips main page

Last Updated On

March 08, 2019