The Office of the National Coordinator for Health IT has debunked 10 common myths about security risk analysis for healthcare providers.
1. The security risk analysis is not optional for small providers, as all HIPAA-covered entities are required to perform one, as well as all providers who want electronic health record incentive payments.
2. Simply installing a certified EHR does not fulfill the security risk analysis meaningful use requirement, as security analyses go beyond the information stored in EHRs.
3. EHR vendors should not be expected fully handle all privacy and security requirements, as the responsibility to be HIPAA-compliant rests with providers, not vendors.
4. Security risk analysis does not have to be outsourced, though conducting a thorough review does require the kind of expert knowledge that can be acquired through an outside professional.
5. A checklist will not suffice for the risk analysis requirement. They are useful tools, but fall short of performing a systematic security risk analysis or documenting that one has been performed.
6. There is not a specific risk analysis method that must be followed, as a thorough analysis can be performed in many ways.
7. A security risk analysis needs to look beyond the EHR system to review all electronic devices that store, capture or modify electronic protected health information.
8. HIPAA compliance means risk analyses must be performed routinely, not just once.
9. The EHR incentive program does not require all risks to be mitigated before applying. Rather, the program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.
10. Risk security analyses do not have to be completely redone every year. When changes to the organization or electronic systems occur, an organization should review and update the prior analysis for changes in risks. Under the meaningful use programs, reviews are required for each EHR reporting period.
More Articles on the ONC:
6 Steps to a Successful Community-based mHealth Program
16 Statistics on Meaningful Use Attestation
Engaged Patients Viewed as Universal Must in Growth of eHealth