The myths around a Security Risk Analysis

The Security Risk Analysis needs to cover administrative, physical, and technical safeguards, to ensure all patient information is protected. Practices must reassess when there is a significant change in infrastructure, technology, or staffing.

The Quality Reporting Engagement Group discussed some of the myths promoted on the HealthIT.gov website (as created by The Office of the National Coordinator for Health Information Technology).

Some Common Myths of the Security Risk Analysis (SRA)¹:

1. The security risk analysis is optional for small providers. 
2. Simply installing a certified EHR fulfills the security risk analysis MU requirement. 
3. My EHR vendor took care of everything I need to do about privacy and security.
4. I have to outsource the security risk analysis.
5. A checklist will suffice for the risk analysis requirement.
6. There is a specific risk analysis method I must follow.
7. My security risk analysis only needs to look at my EHR.
8. I only need to do a security risk analysis once.
9. Before I attest for an EHR incentive program, I must fully mitigate all risks.
10. Each year, I’ll have to completely redo my security risk analysis.

The Quality Reporting Engagement Group has tools that can be used by a practice in conducting their own security risk analysis, as well as providing information on vendors to help with an SRA. To learn more, contact them at: sales@intrinsiq.com

The information in this blog was taken from a webinar held in July 2021 titled: MIPS Webinar Cost/Feedback Reports & Security Risk Analysis. To view the webinar, click here.

1. https://www.healthit.gov/topic/privacy-security-and-hipaa/top-10-myths-security-risk-analysis