Conducting a Security Risk Analysis


With reimbursement reporting under CMS, formerly under Meaningful Use (MU) and now under the Merit-based Incentive Payment System (MIPS), practices are required to report on their security risk analysis or protection of patient information. The government takes this protection very seriously. In 2016 alone, more then 329 breaches of 500+ health records were reported, totaling over 16 million patient records.1 While cyber attacks and hacking accounted for some of the breaches, sometimes records are lost because of loss or improper disposal.

Many practices think that just installing a certified EHR or conducting a one-time training will cover everything for privacy and security. While EHR vendors can provide training on the privacy aspects of their products, it is up to the practice to ensure that they take steps to ensure privacy and document the process. Supporting documentation for attestation was suggested by CMS to be retained for a minimum of six years.

Internal security risk audits must be completed by the end of the current reporting year, but it is not too early to start for the next year. Practices need to understand that it is not just putting a HIPAA policy in place – it is addressing questions that may come up about security.

Examples like: 

• What if an administrator’s laptop is stolen out of a car? Is the laptop password protected? Or is the data encrypted? How do you notify patients?
• If your server goes down, what do you have in place for back-up? And is that back-up protected?
• When your reception area is checking in patients, can the patient read the screen? With computers in the exam rooms, does your staff log off before leaving the room or is there an automatic log-off?

Security risk compliance and HIPAA enforcement are some of the most audited subjects conducted by CMS. After receiving an audit letter, practices have little time to respond (often just 10 days to send documentation) and if not answered completely and successfully, providers can lose thousands of dollars in previous reimbursements.

If your practice needs to ensure you are answering all the possible questions, and documenting the process, the Quality Reporting Engagement Group at IntrinsiQ Specialty Solutions has a checklist and template available for accuracy and completeness as part of their standard consulting services. If you are interested in learning more about this, email us at or call 877-570-8721 x2.