Escolar Documentos
Profissional Documentos
Cultura Documentos
A review is carried out based on a previously completed, proficient risk analysis. In order to conduct a review of a risk analysis, EP
must have previously performed a comprehensive security risk analysis. It is impossible to perform an adequate review without first
having the sound foundation of a good risk analysis. A review then evaluates any changes that have occurred since the initial risk
analysis was performed, including added equipment involved in the storage of PHI, changes in office facilities or locations, or new
software systems. Once a review is completed, it should provide the EP with guidelines for further improving the security of PHI
based on a list of threats and vulnerabilities identified during the review.
When is a Review Appropriate?
So how should eligible providers determine whether to perform a full risk analysis or a review? A review is admissible by Meaningful
Use and HIPAA standards based on the idea that security is iterative, i.e., continually adding on to what has been done before.
Therefore, the ability to perform a review as opposed to a full risk analysis hinges upon the adequacy of any previous risk analyses. A
good risk analysis should include inventory of PHI storage devices, identification and prioritization of risks to PHI on the EPs
network, as well as a reasonable set of policies and procedures necessary to secure patient information. If the EP has previously
conducted an adequate [S1] risk analysis, then a proper review can be carried out.
Even with an appropriate risk analysis, review of that risk analysis is not always sufficient for compliance with Meaningful Use Stage
1 requirements. Answers to several of the aforementioned questions can indicate the need for a full risk analysis as opposed to a
review. For example, if an EPs business has moved locations or the office layout has significantly changed, or if hardware or software
used to manage and store PHI has changed, a full risk analysis may be necessary to elucidate security vulnerabilities at the new facility
or in the new IT systems.
Ultimately, evaluation of every aspect of the original risk analysis is necessary for conducting an adequate review. The review should
incorporate assessment of overall changes in the environment and a methodical consideration of the security risks associated with
those changes. As with every aspect of Meaningful Use attestation and HIPAA compliance, the review should be thoroughly
documented, referencing the prior risk analysis. Each review should result in an additional list of threats and vulnerabilities that can be
added to the Security Management Plan as required by the second HIPAA Security rule.
Recommendations
The language of Meaningful Use allows for the performance of a review, as opposed to a full security risk analysis, in the following
year or two after the initial attestation. If a proper risk analysis was performed the first year, EP can build on the foundation of that
risk analysis to improve security practices in subsequent years. However, most security experts recommend that every covered entity
do a full risk analysis every two to three years.
Update
Since this article was initially published, ONC has published their own tool. The ONC tool provides a structured database designed
for small and mid-sized providers to conduct and document annual Security Risk Assessments. Given the authorship of the tool,
providers should have a high level of confidence in the acceptability of a SRA conducted using it. For more information, see
http://www.healthit.gov/providers-professionals/security-risk-assessment.