Health Information Technologies and Processes

SRA often?

  • 1.  SRA often?

    Posted 08-07-2020 10:30
    There's no requirement on how often a Security Risk Analysis needs to be redone in terms of "every year", "every two years", etc under HIPAA.  There are also many opinions on what is "best practice", "industry standard", etc.

    So all of that said, just curious what timeframe people have adopted, if any, to review or redo their Security Risk Analysis that is required by the HIPAA Security Rule.

    I ran a poll last year and over 70% of the respondents are reviewing their SRAs in the 2- 3 year range, including when there is no material change in their operating environment.

    There was some confusion about meaningful use where some folks were promoting the idea that the SRA had to be redone every year for meaningful use...and OCR indicated on a webinar that this is not true.


    Frank Ruelas
    Compliance Professional

  • 2.  RE: SRA often?

    Posted 08-09-2020 22:24
    Edited by Ashley Dean 08-09-2020 23:07
      |   view attached

    Hi Frank,

    Those are very interesting figures reported.  I think that perhaps explains why poor/inadequate SRAs have been a leading cause of MU audit failures?  The MU/PI/MIPS auditors follow CMS documented MU/PI/MIPS measure requirements (and only follow ONC for EHR certification criteria); I've attached the 2020 MIPS Measures Security Analysis Risk Fact Sheet, which documents the requirements for an SRA in that program.

    "It is acceptable for the security risk analysis to be conducted or reviewed outside the performance period; however, the analysis must be unique for each performance period, the scope must include the full MIPS performance period, and it must be conducted within the calendar year of the MIPS performance period (January 1st – December 31st).  ... and a review must be conducted covering each MIPS performance period. Any security updates and deficiencies that are identified should be included in the clinician's risk management process and implemented or corrected as dictated by that process."

    I wish HHS had been a little more detailed with their security analysis guidance, also referencing the MU/QPP/MIPS annual SRA requirement -- not for a completely new SRA, but a minimum to review and update the SRA annually, noting any changes or lack thereof, Because so many providers fall under these EHR reporting programs like MU and MACRA, it's easy for providers to get confused between ONC and CMS requirements.  My concern for providers is that a statement during an ONC webinar might not be considered 'Official CMS documentation' and might not hold weight with the auditors that use CMS reporting guidelines when reviewing MU/PI/MIPS submissions.

    My understanding is that CMS expectation is for MU/PI/MIPS SRAs to be completed/reviewed annually (either a full review/re-assessment or an update, as appropriate -- but it must be unique for the reporting period) for participants of these programs, and there are new reporting periods each year.  Because EHR updates related to those MU/QPP/MIPS measure changes that frequently occur annually (even more-so for cloud-based EHR users) this could be viewed as a trigger for needing a renewed SRA, especially if core functions or features for sharing and distributing PHI, like implementing an HIE or new interfaces, are involved, which would definitely trigger the need for either a new or an updated SRA, depending on the full circumstances of the organization.

    By performing and documenting this review (and not necessarily a full re-assessment, but an update) annually, MU/PI/MIPS program participants met the required SRA measure for MU stages 2 and 3, as well as for QPP/MIPS.  So, I have seen a significant number of organizations perform SRAs annually to 'kill two birds with one stone'.  The view I have heard is that it's frequently better to be safe than sorry and to be over-prepared for audits.

    As practices and organizations document their SRAs, it's not just critical to identify security gaps, but also be sure to create an action plan, with a timeline, to address those gaps. If a provider or organization is audited, it is important to have not only your SRA documentation but also the corrective action plan you have in place to address the documented gaps because that was also cited as an SRA shortcoming in the past, having an 'inadequate' or perfunctory SRA, as viewed by CMS auditors.  With so many breaches, required software patches, and O.S. platforms being sunset, it's becoming difficult to imagine an organization of any size not having some SRA updates to include in their annual review for MU/MIPS, which I believe also helps drive the frequency of SRA updates and full re-assessments.

    As an aside, in case anyone missed it, AHIMA is offering a Free Cybersecurity Webinar, from within this month's AHIMA Journal.  AHIMA members and non-members can access a free, on-demand webinar on how healthcare organizations can identify and mitigate cybersecurity threats during the COVID-19 pandemic, "Cybersecurity & Health-ISAC's Response to the COVID-19 Pandemic".  The webinar is moderated by me, with special guest speaker Errol Weiss, Chief Security Officer, H-ISAC (Health Information Sharing and Analysis Center).  While more on cybersececurity than HIPAA compliance, some important resources for protecting PHI and cyber-infrastructure are reviewed, along with some ONC Security Training material and the ONC's Security Risk Assessment tool.  An offer for free H-ISAC membership to help provider organizations cybersecurity postures is included, along with additional resources that can help improve a healthcare organization's privacy and security with adequate and enhanced cybersecurity.  Complimentary registration can be found here.

    A. Andrews Dean, CPHIMS, CHDA, CPHI, CPPM, CPC
    AHIMA-Approved Data Analytics Trainer
    Health IT Regulatory Affairs & Healthcare Compliance Consultant