MIPS Requires a CURRENT Security Risk Assessment (SRA)
Security Risk Assessment might sound familiar to you as participants in the Merit-based Incentive Program (MIPS). MIPS eligible clinicians are required to perform a Security Risk Assessment (SRA) to comply with the Promoting Interoperability performance category. Promoting Interoperability is the new name for what was previously called Advancing Care Information and Meaningful Use.
While the name “Security Risk Assessment” seems straight forward and the attestation reporting mechanism is super simple to complete – after all, it is just checking a box that states the SRA has been finished. Be careful, the intent of the law is serious business.
The Medicare Access and CHIP Reauthorization Act (MACRA) requires medical providers to:
“Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with requirements in 45 CFR164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician’s risk management process.”
At Whittle Advisors, we have streamlined the 200-page SRA survey (CMS developed) and created software tools to align the requirements for compliance with a manageable process. Our team manages the entire process for our clients. Our Security Risk Assessment, which includes an onsite analysis of the physical, technical, and ePHI requirements for compliance.
Our assessments result in several required deliverables:
Complete Risk Assessment
Production of a Risk Assessment is one of primary requirements of the MIPS Security Rule’s Administrative Safeguards. In fact, a Risk Assessment is the foundation for the entire security program. Risk Assessments help HIPAA Covered Entities identify the locations of their protected data, how the data moves within, and in and out of, the organization.
The value of a Risk Analysis cannot be overstated.
Dept. of Health and Human Services/Office of Civil Rights fines begin at $10,000 (and are most often $50,000) for failure to have completed a Security Risk Assessment annually.
Risk Profile/Risk Review
A risk profile assigns the assessment results with an indicator of risk. The risk profile is utilized in prioritizing remediation plans to clear issues associated with compliance. We offer quarterly updates to the Risk Review, which updates the Risk Assessment and documents progress in addressing previously identified risks and finds new ones that may have been introduced by a system upgrade or personnel change.
Indicator of risk is a numerical value applied to any identified risk associated with the creation, management and destruction of ePHI. The numerical value is utilized in ranking the remediation tasks by severity allowing organizations to tackle the most critical issues first.
Evidence of Compliance Report
Regulation (and auditors) require evidence that compliant tasks have been completed.
Documentation must be kept for six years. The Evidence of Compliance report includes user & computer information, and other source material to support your compliance activities.
These deliverables provide insight into the level of risk associated with your current use of technology and protection of eProtected Health Information. At Whittle Advisors, our technical experts conduct SRAs with a structured, streamlined approach. When we complete your essential SRA, you will receive:
- A completed SRA report with recommended remediation actions
- Sample security policy
- Evidence of Compliance report
Take advantage of NPO member preferred pricing – $1450
Medical Practice (single location) $999
Discount pricing available through Sept 21st