Security risk analysis offers scope for many kinds of confusion with regard to its understanding and implementation. Demystifying popular security risk analysis myths is the way. The Office of the National Coordinator for Health IT has sought to help professionals do this.
Many misunderstandings and misconceptions abound on the aspect of HIPAA's security risk analysis. Complexity of the regulations is the main reason for this. Consider one example: security risk analysis is required both under the Security Rule and also under both Stage 1 and Stage 2 of the EHR meaningful use incentive program, in which satisfactory and meaningful use of electronic health records has to be demonstrated by hospitals and healthcare professionals. There is enormous scope for professionals and practitioners to cultivate security risk analysis myths.
In view of the potential that descriptions of some of the requirements have for causing confusions and misunderstandings, the Office of the National Coordinator for Health IT (ONIT) has issued a list of the most popular security risk analysis myths.
Myth 1: The security risk analysis is optional for small providers
It is not. The Security Rule states that all HIPAA-covered entities and all providers who need electronic health record incentive payments need to mandatorily perform.
Myth 2:Fulfilling the security risk analysis meaningful use requirement is all about installing a certified EHR
No. Information stored in EHRs Security risk analysis is only a part of security risk analysis meaningful use requirement. Just installing a certified EHR does not fulfill these.
Myth 3: : There is no need to worry about privacy and security, since everything has been entrusted to the EHR vendor
Doesn't have to be so. It is the responsibility of providers, not EHR vendors, to fully take care of all privacy and security requirements.
Myth 4:Security risk analysis needs to be outsourced
Not necessarily. A healthcare organization may take the help of an external consultant or any other professional to carry out security risk analysis, but doesn't have to outsource it.
Myth 5:A checklist is enough for fulfilling security risk analysis
It is not. While they are not without their uses; security risk analysis or documentation of one that has already been performed requires much more than a checklist.
Myth 6:A specific risk analysis method must be followed
No. There are multiple ways by which a proper and thorough security risk analysis can be performed.
Myth 7:The EHR is all that is required for a security risk analysis
One of the many security risk analysis myths is that an EHR system is comprehensive and sufficient for reviewing a risk analysis. It is not. The EHR system is only one of the components of a security risk analysis, which becomes complete only by reviewing all electronic devices used for storing, capturing or modifying ePHI.
Myth 8:A risk analysis need to be done only once
No way. To stay compliant with HIPAA guidelines, a healthcare organization has to keep carrying out its security risk analysis continually.
Myth 9:Mitigating all risks is necessary before attesting for an EHR incentive program
It is not. Identification and correction of deficiencies while carrying out the risk analysis during the reporting period, rather than mitigation of all risks before applying, is part of the EHR incentive program's risk management requirements.
Myth 10:Redoing risk analysis from scratch every year is necessary
This is one of the strong security risk analysis myths. It is not necessary to completely redo a risk security analysis every year. It is enough for organizations to update changes relating to the organization or its electronic systems as they occur, in every EHR reporting period.Click Here to Explore More