Under the HIPAA Security Rule, Covered Entities (CE’s) are required to conduct an accurate and through analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI (Electronic Patient Health Information). The Security Risk Analysis is mandatory for any organization that accesses ePHI. On completion of a Security Risk Analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels.
- Onsite technician to conduct a 132-point thorough assessment
- Identification of all risk areas and consultation on how to mitigate Medium & High Risks
- Quarterly trainings for your HIPAA Compliance Officer via webinar with our training experts
- Annual trainings for all staff members to meet government regulations, via webinar with our training experts
- Quarterly network scans for intrusion detection
- 65 Page HIPAA Manual for corporate use
- Creation of necessary policies and procedures, such as Business Resumption Plans
- Consultation services with our North Shore HIPAA experts to discuss ongoing compliance
No. Not having a thorough Security Risk Assessment (SRA) performed is a major HIPAA violation. All Covered Entities are required to have a Security Risk Assessment performed if they have access to PHI/ePHI. Also, all providers who are participating in MACRA/MIPS are considered to be at a higher risk for a government audit.
No. To comply with government regulations, you must continue to review, correct or modify risks, and update your security protections on an ongoing basis. Due to changes within a practice and continually growing cyber threats and attacks, we recommend a Security Risk Assessment be conducted or updated annually.
When it comes to a HIPAA Security Risk Assessment, before I attest for MACRA/MIPS, do I need to fully mitigate all risks?
No. MACRA/MIPS requires that you conduct a Security Risk Assessment each year. You must be able to prove that your practice has been continually addressing gaps in your compliance that the risk assessment indicates. If the Center for Medicare and Medicaid Services audits you, a current SRA, as well as previous year’s SRAs, showing what high-risk areas have been mitigated must be illustrated for compliance.
My Electronic Medical Record company handles my MIPS reporting, why do I need SPIN to help with this?
Most Electronic Medical Record (EHR) companies do not report your data in a way that is best for your MIPS score. They report the minimum amount of information necessary, or they will report way too many measures, all of which can have a huge impact on your overall MIPS score. With SPIN, we will work with your EHR company in an effort to get you the best possible score, so that you do not leave any Medicare Part B increase money on the table.
With SPIN, you would contact a member of your SPIN team and they would work with you to rectify the issue on your behalf. You will have an attorney dedicated to your case.