Top 10 Myths of Security Risk Assessments

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities to conduct a risk assessment annually to identify risks and vulnerabilities to electronic Protected Health Information (ePHI).

As with anything, there is misinformation about the HIPAA Security Rule and the required risk assessment. The following is are the top 10 myths of Security Risk Assessments.

1. I only need to do a Security Risk Assessment (SRA) once.

Myth. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.

2. The SRA is optional for small providers.

Myth. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

3. I only need to do a risk analysis when I adopt an EHR.

Myth. While you are required to do a full SRA as you adopt an EHR, you MUST review and update the prior analysis for changes in risk EVERY year or when changes to your practice or electronic systems occur. 

4. My EHR vendor took care of everything I need to do about privacy and security.

Myth. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete SRA conducted.

5. My SRA only needs to look at my EHR.

Myth. An SRA must review all electronic devices that store, capture, or modify ePHI. This includes your hardware or software devices that can access your EHR data.  

6. Expert knowledge is not required for an SRA.

Myth. While you can perform an SRA internally, you must have the requisite knowledge, experience and understanding. Doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

7. A checklist will suffice for the risk analysis requirement.

Myth. Checklists can be useful tools, especially when starting a risk analysis. However, they are not the equivalent of a systematic security risk analysis and do not document that one has been performed.

8. There is a specific risk analysis method that I must follow.

Myth. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule to assist organizations in identifying and implementing the most effective and appropriate safeguards to secure ePHI.

9. Simply installing a certified EHR fulfills the security risk assessment Meaningful Use and MACRA requirements.

Myth. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all protected health information you maintain, not just what is in your EHR.

10. The SRA is the only activity required for managing risk.

Myth. An SRA is a key component of a comprehensive risk management framework. However, a variety of other, continuous activities and components are required to adequately manage risks.


To speak to Keystone’s leading security experts about your annual Security Risk Assessment, click here.

Leave a comment