Conducting annual risk assessments and dispositioning what will be done in response to each of the identified risks, are an important part of complying with HIPAA regulations. Practices do not necessarily have to meet every single standard, however. HIPAA specifies which implementation specifications are “required” versus which are “addressable.” 

Implementation specifications that are required, such as the annual security risk analysis, are similar to a standard in that all physicians and other covered entities must conduct an annual risk analysis in accordance with the Security Rule. Implementation specifications that are “addressable” allow practices to determine if addressing each one is reasonable and appropriate given a practice’s specific circumstances.

Whether a risk assessment is completed in-house or through an external organization, the individuals conducting the assessment need to sit down with the practice’s decision makers and review all of the identified risks, said Theresa Wilkes, a medical informatics strategist for the American Academy of Family Physicians. 

Practices must then disposition how they choose to address each identified risk by either making changes to mitigate these risks (often by putting administrative, physical, or technical safeguards in place), finding an alternative solution (such as purchasing cybersecurity insurance to insure against the risk), or in some cases by choosing not to make changes and accept the risk after carefully analyzing (and documenting) what is reasonable and appropriate given their circumstances. For instance, if a practice looks into purchasing cyber security insurance and finds it is cost prohibitive, the practice can choose to take the risk of not buying it.

Documentation

The federal Office for Civil Rights (OCR) does not consider a risk assessment complete until health providers have looked at each identified risk and determined how the risk will be mitigated, or not, Wilkes said. This process needs to be documented. If a hard copy of the risk assessment is available, it should be signed and dated by the authorized person in the practice. If the assessment has been done online, a screen shot with the date and time it was completed is required. 

Physicians and other providers should recognize that the law was written so covered entities and practices have some autonomy on how to address each item that best works for their practice, Wilkes said. “This doesn’t have to be overwhelming,” she said. “You need to set it up so you are identifying what is reasonable and appropriate given your practice, then document that decision making.” If decision making on how an identified risk will be dispositioned is not documented, it is deemed not to have occurred and rationale is then not recorded to support the practice in the event of an audit. 

The Department of Health and Human Services (HHS) has a security risk assessment tool (www.HealthIT.gov/security-risk-assessment) that can help. The HHS tool will assist individuals as they go through the results and help them understand how to address each risk depending upon the practice, Wilkes said.

The tool is mostly user friendly, but not frustration-free. She loosely compares use of the SRA tool for risk assessment to use of tax preparation software for tax returns, noting it makes the process achievable by an individual but it can be necessary to read many of the pop ups stating whether or not an issue is required versus addressable, and what administrative, physical or technical safeguards might help mitigate a particular kind of risk. 

This article originally appeared on Renal and Urology News