Apr 28th, 2016 - Reviewed/Updated Mar 5th
The HIPAA Security Rule requires that covered entities (your practice) conduct a Security Risk Assessment (SRA) for your organization, at a minimum of once per year. It is critical that practices perform the Security Risk Assessment for multiple of reasons. Not only is it important to comply with rules and regulations, but also, for what you may consider to be a more motivational reason, to protect your practice (and bank account) from what could become disabling fines and penalties.
Let me further explain...The Office of Civil Rights (OCR) in recent months has acknowledged that providers are not making compliance implementation a priority to their practices. Thus, the increased risk of unauthorized access, use, and disclosure of protected (and quite vulnerable) patient health information is still a factor. Not to mention the risk of practices not appropriately implementing other critical areas of compliance, which also pose significant vulnerability to practices as well as the heightened risk of significant fines and penalties.
While this message to you only very briefly describes the risk to your practice, providers, workforce, and patients, the message to take away here is that the Office of Civil Rights means business — so much, in fact, that it was decided that the best and only way to make sure that practices understand the significance of compliance is for OCR (along with governing entities such as HIPAA, and others) to increase efforts of enforcement. In short, HIPAA has teeth — and sharp ones at that. There is no such thing as "under the radar" or "off the grid" for practicing providers today.
One component of enforcement is in HIPAA Security. It's a priority for HIPAA to ensure that potentially identifying and vulnerable patient information is secure. And rightfully so, when you consider the risk of potential identity theft, medical identity theft, and other dangers posed to patients due to the amount and types of information that health care providers have on each patient. Not to mention the difficulty in finding the source of, and stopping the effects of identity theft or medical identity theft, should that occur (which it does, all too often).
Though there are other components of compliance, the Security Risk Assessment is one very essential component to compliance, and for many reasons. The Security Risk Assessment shows your practice's good faith effort in establishing and maintaining appropriate policies and procedures that meet guidelines and minimize risk to your practices and protected information. The Security Risk Assessment is required as a way for practices to show ongoing monitoring of critical business systems.
Enforcement of this area is at an all time high and will continue to gain steam. The best thing practices can do is to be proactive.
And finally, the Security Risk Assessment is also required for Meaningful Use attestation. Practices that are found to have received incentive payments through Meaningful Use but have not appropriately conducted a Security Risk Assessment per attestation requirements are having to refund all of the incentive payments received as well as run the very high risk of more in depth investigations and other potential penalties.