AE July/August 2018 Vol 27 No 4 - 15

* Implemented comprehensive
policies and safeguards to protect
mobile devices containing ePHI?
* Planned any new technologies
or business operations and how
security risks might be addressed
in the planning stages?
MEANINGFUL USE AND
MISCONCEPTIONS
In Bryant's view, the meaningful
use requirements of the Medicare
and Medicaid EHR Incentive
Programs brought SRA out of the
shadows by requiring eligible providers to attest to having conducted
or reviewed a risk analysis that met
HIPAA standards for each EHR
reporting period.
"SRA has been a required
measure since Meaningful Use
Stage 1," said Chris Dean, CSSA,
Netgain EHR analyst (St. Cloud,
Minn.). She explained, "Not only
does it continue as a required
objective in the MIPS and APM
programs, the SRA requirements
have mostly stayed the same, with
the HIPAA Security Rule governing the objectives."
But many providers have had to
return incentive payments because they couldn't produce SRA
documentation when audited. Why
might this happen?
One common misconception is
that practices can fulfill the SRA
requirement simply by installing certified EHR technology (CEHRT).
But, even with CEHRT, a practice
must perform a full security risk
analysis.2
Another misconception is that
"practices don't need to conduct
an SRA because their EHR or IT
vendor handles everything," said
Dean. A vendor may provide information, assistance, and training
on privacy and security aspects of

the applications, but it is "solely
the responsibility of the practice
to have or conduct a complete risk
assessment," she explained.
Finally, the breadth of HIPAA's
SRA requirement, which covers all
electronic devices that create, maintain, receive, or transmit ePHI, is
often misunderstood. "Almost every
organization I work with has ePHI
outside its EHR that is not considered in internally conducted SRAs,"
said Bryant. Ophthalmology
practices, for example, routinely use
diagnostic devices for visual field
measurements. Patient identifiers
are entered into the device, which
has a digital memory for recalling
results. "Data in that device must
be protected in the same way and
to the same degree as ePHI in an
EHR," Bryant emphasized.
COMPLIANCE
Conducting an enterprise-wide
SRA is extremely challenging. To
help covered entities and especially small and medium-sized providers, the Office of the National
Coordinator for Health Information Technology and OCR issued
an improved HIPAA Security
Risk Assessment Tool in 2016.3
It is a self-contained operating
system for Windows devices and
iPads that contains 156 questions. Using the Tool does not
guarantee compliance, but it can
help ensure an SRA is thorough
and organized.
However, many practices do not
have staff specializing in HIPAA
and "well-meaning staff may not
provide an accurate picture of an
organization's security posture," said
Bryant. Similarly, Dean stressed
that-given the current cybersecurity landscape, the risks of a data
breach, increased HIPAA penalties,

and the prevalence of audits-
many experts now recommend that
practices have SRAs performed by a
third-party expert.
"Security is not an IT problem,
it is a business problem," Dean
concluded. AE
NOTES
HHS OCR. (Content last reviewed 2017,
Mar 9). Guidance on risk analysis. https://
www.hhs.gov/hipaa/for-professionals/
security/guidance/guidance-risk-analysis/
index.html
2
HealthIT.gov. (Content last updated
2014, Mar 28). Top 10 myths of
security risk analysis. https://www.
healthit.gov/providers-professionals/
top-10-myths-security-risk-analysis
3
HHS ONC. (2016, Oct 13). Revised
HIPAA Security Risk Assessment Tool now
available, Health IT Buzz, https://www.
healthit.gov/buzz-blog/health-it-security/
revised-hipaa-security-risk-assessment-tool/
1

Jeanne S. Holden
(703-451-5903,
jeanneholden@yahoo.
com) is a freelance
writer-editor based in
Springfield, Va.

"

Ophthalmology
practices ...
routinely use
diagnostic
devices for
visual field
measurements.
Patient
identifiers are
entered into
the device,
which has a
digital memory
for recalling
results. ...
"Data in that
device must
be protected
in the same
way and to the
same degree
as ePHI in an
EHR," Bryant
emphasized.

www.asoa.org // AE

15


https://www.hhs.gov/hipaa/for-professinals/security/guidance/guidance-risk-analysis/index.html https://www.hhs.gov/hipaa/for-professinals/security/guidance/guidance-risk-analysis/index.html https://www.hhs.gov/hipaa/for-professinals/security/guidance/guidance-risk-analysis/index.html https://www.hhs.gov/hipaa/for-professinals/security/guidance/guidance-risk-analysis/index.html http://www.HealthIT.gov https://www.healthit.gov/providers-professionals/top-10-myths-security-risk-analysis https://www.healthit.gov/providers-professionals/top-10-myths-security-risk-analysis https://www.healthit.gov/providers-professionals/top-10-myths-security-risk-analysis https://www.healthit.gov/buzz-blog/health-it-security/revised-hipaa-security-risk-assessment-tool/ https://www.healthit.gov/buzz-blog/health-it-security/revised-hipaa-security-risk-assessment-tool/ https://www.healthit.gov/buzz-blog/health-it-security/revised-hipaa-security-risk-assessment-tool/ http://www.asoa.org

Table of Contents for the Digital Edition of AE July/August 2018 Vol 27 No 4

AE July/August 2018 Vol 27 No 4 - Cover1
AE July/August 2018 Vol 27 No 4 - Cover2
AE July/August 2018 Vol 27 No 4 - 1
AE July/August 2018 Vol 27 No 4 - 2
AE July/August 2018 Vol 27 No 4 - 3
AE July/August 2018 Vol 27 No 4 - 4
AE July/August 2018 Vol 27 No 4 - 5
AE July/August 2018 Vol 27 No 4 - 6
AE July/August 2018 Vol 27 No 4 - 7
AE July/August 2018 Vol 27 No 4 - 8
AE July/August 2018 Vol 27 No 4 - 9
AE July/August 2018 Vol 27 No 4 - 10
AE July/August 2018 Vol 27 No 4 - 11
AE July/August 2018 Vol 27 No 4 - 12
AE July/August 2018 Vol 27 No 4 - 13
AE July/August 2018 Vol 27 No 4 - 14
AE July/August 2018 Vol 27 No 4 - 15
AE July/August 2018 Vol 27 No 4 - 16
AE July/August 2018 Vol 27 No 4 - 17
AE July/August 2018 Vol 27 No 4 - 18
AE July/August 2018 Vol 27 No 4 - 19
AE July/August 2018 Vol 27 No 4 - 20
AE July/August 2018 Vol 27 No 4 - 21
AE July/August 2018 Vol 27 No 4 - 22
AE July/August 2018 Vol 27 No 4 - 23
AE July/August 2018 Vol 27 No 4 - 24
AE July/August 2018 Vol 27 No 4 - 25
AE July/August 2018 Vol 27 No 4 - 26
AE July/August 2018 Vol 27 No 4 - 27
AE July/August 2018 Vol 27 No 4 - 28
AE July/August 2018 Vol 27 No 4 - 29
AE July/August 2018 Vol 27 No 4 - 30
AE July/August 2018 Vol 27 No 4 - 31
AE July/August 2018 Vol 27 No 4 - 32
AE July/August 2018 Vol 27 No 4 - 33
AE July/August 2018 Vol 27 No 4 - 34
AE July/August 2018 Vol 27 No 4 - 35
AE July/August 2018 Vol 27 No 4 - 36
AE July/August 2018 Vol 27 No 4 - 37
AE July/August 2018 Vol 27 No 4 - 38
AE July/August 2018 Vol 27 No 4 - 39
AE July/August 2018 Vol 27 No 4 - 40
AE July/August 2018 Vol 27 No 4 - 41
AE July/August 2018 Vol 27 No 4 - 42
AE July/August 2018 Vol 27 No 4 - 43
AE July/August 2018 Vol 27 No 4 - 44
AE July/August 2018 Vol 27 No 4 - 45
AE July/August 2018 Vol 27 No 4 - 46
AE July/August 2018 Vol 27 No 4 - 47
AE July/August 2018 Vol 27 No 4 - 48
AE July/August 2018 Vol 27 No 4 - 49
AE July/August 2018 Vol 27 No 4 - 50
AE July/August 2018 Vol 27 No 4 - 51
AE July/August 2018 Vol 27 No 4 - 52
AE July/August 2018 Vol 27 No 4 - 53
AE July/August 2018 Vol 27 No 4 - 54
AE July/August 2018 Vol 27 No 4 - 55
AE July/August 2018 Vol 27 No 4 - 56
AE July/August 2018 Vol 27 No 4 - 57
AE July/August 2018 Vol 27 No 4 - 58
AE July/August 2018 Vol 27 No 4 - 59
AE July/August 2018 Vol 27 No 4 - 60
AE July/August 2018 Vol 27 No 4 - 61
AE July/August 2018 Vol 27 No 4 - 62
AE July/August 2018 Vol 27 No 4 - 63
AE July/August 2018 Vol 27 No 4 - 64
AE July/August 2018 Vol 27 No 4 - 65
AE July/August 2018 Vol 27 No 4 - 66
AE July/August 2018 Vol 27 No 4 - 67
AE July/August 2018 Vol 27 No 4 - 68
AE July/August 2018 Vol 27 No 4 - Cover3
AE July/August 2018 Vol 27 No 4 - Cover4
http://www.nxtbook.com/ygsreprints/ASOA/ae_nov_dec19
http://www.nxtbook.com/ygsreprints/ASOA/ae_septoct19
http://www.nxtbook.com/ygsreprints/ASOA/g107843_ae_julyaug19
http://www.nxtbook.com/ygsreprints/ASOA/g105962_ae_mayjun19
http://www.nxtbook.com/ygsreprints/ASOA/g104576_ae_marapr19
http://www.nxtbook.com/ygsreprints/ASOA/g103212_ae_janfeb19
http://www.nxtbook.com/ygsreprints/ASOA/g99529_ae_novdec18
http://www.nxtbook.com/ygsreprints/ASOA/g97160_ae_septoct18
http://www.nxtbook.com/ygsreprints/ASOA/g96528_ae_julyaugust18
http://www.nxtbook.com/ygsreprints/ASOA/g93925_ae_mayjune18
http://www.nxtbook.com/ygsreprints/ASOA/g92298_ae_marapr18
http://www.nxtbook.com/ygsreprints/ASOA/g89361_ae_janfeb18
http://www.nxtbook.com/ygsreprints/ASOA/g86698_ae_novdec17
http://www.nxtbook.com/ygsreprints/ASOA/g81746_ae_septoct17
http://www.nxtbook.com/ygsreprints/ASOA/g80299_ae_julaug17
http://www.nxtbook.com/ygsreprints/ASOA/g77256_ae_mayjun17
http://www.nxtbook.com/ygsreprints/ASOA/g74401_ae_marapr17
http://www.nxtbook.com/ygsreprints/ASOA/g72340_ae_janfeb17
http://www.nxtbook.com/ygsreprints/ASOA/ae_novdec16
http://www.nxtbook.com/ygsreprints/ASOA/ae_septoct16
http://www.nxtbook.com/ygsreprints/ASOA/ae_julaug16
http://www.nxtbook.com/ygsreprints/ASOA/asoa_mayjune2016
http://www.nxtbook.com/ygsreprints/ASOA/asoa_marapr2016
http://www.nxtbook.com/ygsreprints/ASOA/asoa_janfeb16
http://www.nxtbook.com/ygsreprints/ASOA/ae_novdec15
http://www.nxtbook.com/ygsreprints/ASOA/asoa_sepoct15
http://www.nxtbook.com/ygsreprints/APTA/g52750_apta_25ada
http://www.nxtbook.com/ygsreprints/ASOA/asoa_julyaug2015
http://www.nxtbook.com/ygsreprints/ASOA/asoa_mayjune2015
http://www.nxtbook.com/ygsreprints/ASOA/asoa_marapr2015
http://www.nxtbook.com/ygsreprints/ASOA/asoa_janfeb15
http://www.nxtbook.com/ygsreprints/ASOA/asoa_novdec14
http://www.nxtbook.com/ygsreprints/ASOA/asoa_sepoct14_AE
http://www.nxtbook.com/ygsreprints/ASOA/asoa_julaug14
http://www.nxtbook.com/ygsreprints/ASOA/ASOA_MayJunAE
http://www.nxtbook.com/ygsreprints/ASOA/ASOA_MarAprAE
http://www.nxtbook.com/ygsreprints/ASOA/ASOA_JanFebAE
http://www.nxtbook.com/ygsreprints/ASOA/ASOA_no4eZine
http://www.nxtbook.com/ygsreprints/ASOA/asoa_fall_2013
http://www.nxtbook.com/ygsreprints/ASOA/asoa_no3_ezine
http://www.nxtbook.com/ygsreprints/ASOA/asoa/asoa_summer_2013
http://www.nxtbook.com/ygsreprints/ASOA/ehr_cust_survey_Apr2013
http://www.nxtbook.com/ygsreprints/ASOA/asoa_no2_2013_ezine
http://www.nxtbookMEDIA.com