Risk assessment and risk analysis are often used interchangeably. Although HIPAA risk analysis and risk assessment are terms that closely resemble each other, there are significant differences between the two.
Netgain and 4MedApproved partnered to present a learning lunch session to help remove the confusion and understand what the requirements are to fulfill the Meaningful Use measure. In this on-demand webinar, Charles Killmer, Security Officer at Netgain, dispels myths surrounding risk analysis, answers common questions, and addresses how to document to protect your practice in the event of an audit.
One of the most common myths is simply installing a certified EHR fulfills the Security Risk Analysis Meaningful Use requirement. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.Here are four other myths of a security risk analysis
1. MYTH: A security risk analysis is optional for small providers.
TRUTH: All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.
2. MYTH: My EHR vendor took care of everything I need to do about privacy and security.
TRUTH: Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.
3. MYTH: I have to outsource the security risk analysis.
TRUTH: It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.
4. MYTH: A checklist will suffice for the risk analysis requirement.
TRUTH: Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.
During the webinar, Charles also shares the answers to these commonly asked questions:
1. What is the difference between a risk assessment and a risk analysis?
2. How is the scope of the analysis determined?
3. What are the common myths of a security risk analysis?
4. How often do we need to perform a risk assessment?
5. Can I do an in-house risk analysis or do I have to hire a third party?
6. What are common pitfalls of conducting a risk analysis?
7. What is the difference between a review and a full risk analysis?
8. What documents should I retain to protect my practice in the event of an Audit?
9. What can I expect after the analysis?
10. How much time do I have to resolve findings?
Keeping up with healthcare IT regulations and understanding how to properly secure ePHI is a big undertaking. View the webinar to gain insight that will help your practice understand what goes into a risk assessment so you know what to expect when it comes time for your practice’s risk assessment.