You may think you are secure and in compliance but there’s a chance you may be wrong.

Small companies do not need to complete a security risk analysis.

False. No matter what size your company is, a security risk analysis is a requirement to stay on top of your security posture. You can’t protect an asset if you don’t know the risks involved.

I’m a SMB, I’m not a target.

Again – False. Attacks are becoming more prevalent against SMB’s due to their lack of security. This makes them an easier target to infiltrate and steal data from.

I have to outsource the security risk analysis.

False. It may be possible for many SMB’s to do their own risk analysis using readily available tools. However, to do an accurate and thorough risk analysis that will not fail a compliance review, may require expert knowledge that the “covered entity” may not have. In this case, it’s best to gain professional help from someone with experience in HIPAA Security compliance.

We can just use a Risk analysis checklist to be compliant

False. A checklist will help you through the process of your risk analysis but it will not perform technical security risks analysis of the controls you have in place to verify that they meet current HIPAA requirements for security.

I must follow a specific risk analysis method

False. You can use a specific risk analysis method as your baseline, however you should taylor it to meet your exact security needs. There are many different risk analysis methods based on different variables and each have different outcomes.

I only need to review my EHR for my security risk analysis.

False. You just review ALL systems that store, transmit, capture or modify your ePHI, it is not limited to just your EHR system. This includes tablets, phones, printers, fax,portable medical devices, workstations and all servers.

I already did a risk analysis, I’m compliant

False. HIPAA Secuirty rules indicate that you must continually & periodically review your risk analysis to make sure it’s current. If anything changes, you must update your risk analysis to include new systems, vendors and other devices that may come in contact with ePHI.

I must fully mitigate all risks before I attest my EHR

False. You can never mitigate all risks. You must identify and correct deficiencies to the best of your ability during the risk management process.

I have to do a full security risk analysis each year.

False. Typically you will need to perform one full security risk analysis.  You should determine a reasonable time period to review it (Monthly, quarterly, annually – based on your own needs) and make the necessary modifications to your security risk analysis when risks change. “Under the Meaningful Use Programs, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of participation in the program.”