Your EHR Vendor Is Not Responsible For Your Security Risk Analysis
By David Doolittle


True or false: Having a HIPAA-compliant electronic health record (EHR) is enough to meet the requirements of a security risk analysis (SRA).

If you answered false, you probably know how to store and share protected health information (PHI) securely.

But if you answered true (or if you had to Google “security risk analysis”), you might want to read on.

An SRA looks at how your practice could be exposing PHI, which is a HIPAA breach and could result in a hefty fine from the federal Office of Civil Rights (OCR). 

As you might’ve guessed, the OCR is more likely to levy a fine if you haven’t created a written plan to address the vulnerabilities in your practice.

Think of your SRA as a living document that should be reviewed at least annually to find new vulnerabilities, such as new technology, system upgrades, and any other changes within your practice that could affect the security of PHI.

Things to consider when conducting an SRA include: 

  • Identifying the location of all PHI related to your practice, including patient data stored on a server within your practice or in the cloud with your EHR vendor. Is that information properly protected and accessible only to those people within your practice who have rights to view it, or to entities with which you have a Business Associate Agreement?
  • Regularly training staff on handling PHI, as well as how to prevent a HIPAA breach and what to do if one occurs;
  • Having a schedule to change passwords on a regular basis;
  • Making sure your staff has access to only those parts of the patient records they need to do their jobs. For example, a front desk receptionist/scheduler doesn’t need access to the full patient record. Your EHR vendor can help you assign the proper access settings for your staff; and
  • Staying current with system and software upgrades and updates.   

The good news is that you can conduct an SRA yourself. But if you need help, contact TMA’s practice consultants. You can also use the free Security Risk Analysis Tool on the website for guidance while performing your own analysis. 

For more information on SRAs and HIPAA compliance, contact TMA’s HIT Department by e-mail, or by calling (800) 880-5720.

Last Updated On

March 11, 2019

Originally Published On

August 15, 2018

Related Content

HIPAA | Practice Consulting