It is important that covered healthcare entities follow the HIPAA compliance policies. For this it is important that they evaluate their policies from time to time. They need to assess the potential risks that are involved and make appropriate changes in order to ensure that the HIPAA Certification policies are followed properly. However, there are some myths about security risk analysis
1. Security risk assessment needs to be done just once:
It should be noted that security risk assessment or SRA has to be done at regular intervals and based on it proper modification in the policies have to be carried out.
2. Small businesses have the option of not doing SRA:
This is not true! If you are a covered entity, then no matter what is the size of your business it is mandatory for you to carry out SRA at regular intervals. You have to take all the required measures in order to protect the sensitive health information.
3. Risk analysis needs to be done only when you opt for EHR:
When you adopt EHR you have to carry out a complete HIPAA Risk Analysis. But it should be noted that it is not the only time when you need to carry out SRA. You need to carry out the risk analysis at regular intervals and as and when required.
4. My EHR vendor will take care of the security aspect:
You have to understand that your vendor will provide you with all the information and with all the training, but it is not your vendor’s responsibility to take care that all the products are HIPAA compliant. It is your responsibility to make sure that all HIPAA Compliance for products and services are as per the HIPAA guidelines.
5. SRA means only keeping a tab on my electronic health records:
No! You not only need to keep a check on your records, but you need to ensure that proper measures are being taken to protect all those devices and electronic mediums that are being used to access the protected health information.
6. No expertise is required for SRA:
This is totally untrue. One must note that Security Risk Assessment needs expertise. You need to have proper knowledge about all the rules and regulations and you need to make sure that you consider all the aspects when you carry out the risk analysis.
7. A checklist for SRA is all that one needs:
Checklists will help in going about with SRA systematically. But that is not the only thing that you will need. You need to carry out the analysis in a systematic manner.
8. SRA can be performed only in a single way:
No this is not correct! There are a number of ways in which one can perform SRA. You need to only make sure that you use these methods in the proper way.
9. Installation of certified electronic health record is all that one needs:
Installing an electronic health record is required, but that does not mean that you need not carry out the risk analysis. That has to be done at periodic intervals and without fail.
10. For risk management SRA is sufficient:
SRA is important for risk management, but that is not the only thing that is needed. You need to make sure that you adopt all the other options for proper risk analysis.
These are some of the myths in risk assessment.