A Current Risk Analysis means Money

A Current Risk Analysis means Money

To receive maximum payments from the Quality Payment Program (QPP) provisions of MACRA a practice must prove performance in meeting the Advancing Care Information (ACI) requirement. Central to satisfying the ACI requirement is conducting a thorough security risk analysis. The definition of this risk analysis is taken directly from HIPAA. In addition to facilitating adequate protection of information, a risk analysis meets the requirements of both HIPAA and QPP.

Per HIPAA, any practice that stores Protected Health Information (PHI) digitally is required to complete a thorough risk analysis, see 45 CFR 164.308(a)(1). The purpose of this analysis is to address the security of the PHI that is collected, transmitted, and stored by the medical practice, and to ensure that PHI is being maintained in accordance with the requirements set forth under 45 CFR 164.312(a)(2) and 45 CFR 164.306(d)(3). Not only must the risk analysis be completed, updates and corrective measures must be applied to the identified security deficiencies.

A risk analysis involves two phases. The first phase requires locating all devices that contain PHI, identifying threats and vulnerabilities to that PHI, determining the likelihood a threat will occur, and assigning a risk level to each threat and vulnerability. The second phase presents remediation options for each threat and vulnerability, then defines the impact on patients and the practice implementing these mitigating measures will have. Mitigations are subject to the “reasonable and appropriate” measure for determining if and how they are implemented. Clear documentation is necessary to support decisions related reducing risk. Lastly, the law defines that the risk analysis must be reviewed and updated on a periodic basis.

A HIPAA compliant risk analysis is beyond the capabilities of the typical IT shop. Moreover, this analysis is like an audit and should be done by a third party. Compunet has refined the risk analysis process to be very efficient. We simplify meeting the risk analysis requirement, contact to learn more.

Contact the Security professionals at Compunet to make sure your practice is defensibly compliant and secure. We offer our clients a full Security Suite and 24/7 monitoring of their infrastructure to ensure their networks are properly secured. As a part of our All in One HIPAA Solution, we offer a free Security Assessment. Check out our quick quiz to see if your practice is compliant!

For more information go to our website:

August 8, 2018 HIPAA Blogs
About admin

Leave a Reply

Your email address will not be published. Required fields are marked *