MIPS Security Risk Assessment
Performing a MIPS Security Risk Assessment (SRA) will help you to identify any potential areas where your organization’s protected health information (PHI) could be at risk. An SRA can reveal the weaknesses and vulnerabilities of an organization’s systems. This is achieved by taking information from all systems used in an organization to house and access data. The information is then classified by risk level. The goal of the SRA is to help organizations develop security policies and procedures to ensure the security of protected health information.
Frequently Asked Questions About Security Risk Assessments
Who Is Required To Perform An SRA?
Every covered entity and its business associates must conduct a Security Risk Assessment, as mandated by the Security Rule of the Health Insurance and Portability Act (HIPAA). Furthermore, an annual Security Risk Assessment is also obligatory for MIPS reporting.
Do I Have To Completely Redo The SRA Each Year?
No, you will need to do a full MIPS Security Risk Assessment only once when you adopt an EHR. Your SRA should be updated annually as any changes to your practice or electronic systems occur.
Can I Just Use A Checklist To Do An SRA?
No, a HIPAA security risk assessment checklist can be a very useful tool, but it fails to adequately perform a comprehensive and systematic security risk analysis, as well as the necessary documentation.
Do I Have To Outsource The SRA?
No, it is possible for a small practice to conduct its own SRA using self-help tools. However, it is recommended that you use an experienced outside professional. You want your risk assessment to be able to stand up to a compliance review that may require expert knowledge.
Shouldn’t My EHR Vendor Take Care Of My Privacy And Security Needs?
No, your EHR vendor may be able to provide information about the privacy and security of your EHR product, but EHR vendors are not responsible for making their product compliant with HIPAA security risk assessment rules. It is also important to mention that there are several other devices that can store electronically protected information other than your EHR. They can include devices such as tablets, computers, mobile phones, and printers/copiers.