Why do I need a Security Risk Assessment (SRA) ? 

In order to comply with the government HIPAA Meaningful Use requirements and upcoming MACRA regulations you need to have a Security Risk Assessment.  Similar to having your books audited by an external accounting firm, having this assessment performed for your internal use by an independent firm such as Zombie Data, that is not directly involved with day to day operations, adds credence to the assessment.  This type of assessment will show that you take the security of your patient records and other critical data seriously, identifying opportunities for improvement in your operations.  Being able to document these items and eventually showing progress on remediation is key.


Do I need to perform a Security Risk Assessment (SRA) on an Annual basis?

Technically NO but performing an SRA on an annual basis will allow you to easily demonstrate progress on items identified last year, incorporation of new rules as they come down related to HIPAA or MACRA, etc.  It never hurts to be prepared for an audit from CMS.


Do I need to do this prior to the current calendar year ending?

The US Government, particularly CMS, are looking to update the percentages paid for various services or procedures, particularly for Medicare and Medicaid patients based in part on your firm’s handling of Patient Records.  In our opinion, having an assessment performed prior to the end of the calendar year provides you with the best defense and ability to show your practice takes this seriously.


How fast can a Security Risk Assessment be scheduled?

Typically we are scheduling a week in advance but as the end of year approaches we do our best to be able to schedule everyone as soon as possible.  As long as we can schedule and perform the initial Assessment Interview by year’s end we can document this as a ‘current year’ activity.


So what is this process like?  Who needs to be involved?

Step 1: The actual Assessment Interview:  Typically we take an hour (max of two) with the Practice’s Office Manager or person in your office responsible for the handling of patient records, either electronically on a computer system or on paper if that is how your office operates.  Sometimes the doctor or managing partner of a practice want to be involved and participate but we understand that their time is valuable so this is not 100% necessary.  We routinely perform this initial Assessment meeting via a conference call so as to complete this portion with the minimal disruption to the office routine as possible.

Step 2: Publish our Evaluation and Recommendations:  We take the input from the Assessment Interview and walk thru the responses to create a formal Evaluation document along with our Recommendations or Opportunities for Improvement.  Creation of these documents generally takes a few days before we can publish and provide back to the practice.  We generally schedule a review session with the same resources involved from the Practice from Step 1.  It is more likely that the doctor or managing partner of a practice is involved at this point.

Any further joint involvement between our firms is totally dependent on the list of findings and recommendations we may present and is totally up to the practice itself.


So what are the current rules related to HIPAA, Meaningful Use and the upcoming MACRA regulations?

As you are no doubt aware the government is constantly changing and updating regulations related to the Health Care Industry.  We suggest you familiarize yourself with the US Government HIPAA website as well as the MACRA website.  If I told you that these regulations were clear and easy to understand I would be misleading you.  Having worked in the Financial and Health Insurance verticals for several years I can tell you that even simplified rules are verbose and difficult to understand.  We work diligently to keep abreast of the current regulations and to insure our Assessment covers the items pertaining to the current rule set.