Risk assessment and risk analysis are often used interchangeably. Although HIPAA risk analysis and risk assessment are terms that closely resemble each other, there are significant differences between the two.One of the most common myths is simply installing a certified EHR fulfills the Security Risk Analysis Meaningful Use requirement. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.
Here are four other myths of a security risk analysis
1. MYTH: A security risk analysis is optional for small providers.
TRUTH: All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.
2. MYTH: My EHR vendor took care of everything I need to do about privacy and security.
TRUTH: Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.
3. MYTH: I have to outsource the security risk analysis.
TRUTH: It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.
4. MYTH: A checklist will suffice for the risk analysis requirement.
TRUTH: Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.
Keeping up with healthcare IT regulations and understanding how to properly secure ePHI is a big undertaking. It’s important to understand what goes into a risk assessment so you know what to expect when it comes time for your practice’s risk assessment.