Believing these common myths puts you at risk for a HIPAA breach or violation. Know the facts and consider if your organization is adequately identifying and addressing HIPAA threats and vulnerabilities.
On any given day, as one of the most recognized names in compliance and regulated services, Stericycle walks into and talks with more HIPAA covered entities than any other service provider. It’s our mission to listen—and to see what’s missing or where there’s potential exposure.
Under the HIPAA Security Rule, Covered Entities and Business Associates are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic Protected Health Information (ePHI). While that sounds simple enough, audit findings from the Department of Health and Human Services Office for Civil Rights (OCR) reveal widespread noncompliance with this requirement. In audits conducted in 2011-12, OCR reported 2/3 of the covered entities lacked a complete and accurate risk assessment.
In our daily conversations with covered entity health care providers, we’ve heard and seen an equal share of myths and missteps that prevent full compliance with 45 CFR 164.308(a)(1)(ii)(A). Below are some of the most common myths putting covered entities at risk for a HIPAA breach or violation.
Myth 1: The Security Risk Analysis is optional for small providers
This is False.
FACT IS: All providers and business associates with any ePHI who are “covered entities” under HIPAA are REQUIRED to perform a risk analysis.
In addition, all providers who want to receive electronic health record (EHR) incentive payments must conduct a risk analysis.
Myth 2: Installing a certified EHR system fulfills the Security Risk Analysis Meaningful Use requirement.
Don’t believe it.
FACT IS: Even with a certified EHR system implemented, you must perform a full Security Risk Analysis.
Security requirements address all electronic protected health information you maintain, not just what is in your EHR.
Myth 3: My EHR vendor took care of everything I need to do about HIPAA privacy and security.
This is False.
FACT IS: It is solely your responsibility to have a complete Risk Analysis conducted.
Your EHR vendor can provide information, assistance and training on the privacy and security aspects of the EHR PRODUCT. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules.
Myth 4: A checklist will suffice for the Risk Analysis requirement.
Don’t take this shortcut.
FACT IS: Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic Security Risk Analysis or documenting that one has been performed.
All items for remediation noted on the checklist or in your Security Risk Analysis need to be completed to qualify for Meaningful Use.
Myth 5: I only need to do a Risk Analysis once.
This is False.
FACT IS: To comply with HIPAA, you must continue to review, correct or modify, and update security protections.
There is no mandatory timeline for updates, but a best practice is to do so at least once a year. Your annual Risk Assessment is valuable protection for patient information—and your business.
It is our mission to help protect your company and reduce your ongoing risk.
Stericycle’s Steri•SafeSM HIPAA Compliance Solution provides a high-quality solution to conduct thorough privacy and security risk assessments as a critical step in meeting your Risk Analysis Requirements under the HIPAA Security Rule. Our all-in-one HIPAA package also meets your needs for HIPAA training and policy documentation. Contact a HIPAA Specialist today to find out more.
Blog content adapted from CMS Security Risk Analysis Tipsheet: Protecting Patients’ Health Information and from the HHS Office of the National Coordinator on Health Information Technology’s Guide to Privacy and Security of Health Information.