Security Risk Assessment 2019

**See attached for Word Template**

Objective Name: Protect Patient Health Information

Measure ID: PI_PPHI_1

Mission: Protect Patient Health Information by ensuring medical practice has a clear policy/protocol to evaluate and institutionalize appropriate safeguards.

Measure Description: Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of ePHI data created or maintained by certified EHR technology in accordance with requirements in 45 CFR164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the MIPS eligible clinician's risk management process.

Federal Requirements: Conducting or reviewing a security risk analysis to meet the standards of Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule is included in the meaningful use requirements of the Medicare and Medicaid EHR Incentive Programs. Eligible professionals must conduct or review a security risk analysis for each EHR reporting period to ensure the privacy and security of their patients’ protected health information:

PHYSICAL SAFE GUARDS

Building Security

alarm systems in place
list of personnel with alarm clearance
- Physician 1
- Office Manager
- Staff 1

Office Security

locked doors, rooms
- Front door
- Back door
- Administrative office

Computer Security

security screens with name and password required
screen lock after period of inactivity

ADMINISTRATIVE SAFE GUARDS

Security Officer, and documented

regular security training for staff
prohibit password sharing
ensure policy enforcement
have current Business Associate agreements for every employee

Software Security

WRS EHR login requires individual username and password
screen lock after period of inactivity
user activity timestamped and recorded

Monthly review

logs checked monthly per staff
activity checked monthly per staff

TECHNICAL SAFE GUARDS

require staff to update password periodically
staff restrictions for after-hour (off-duty) access
anti-virus protection, with regularly run properties

POLICIES/PROCEDURES

written protocol outlining all above criteria (below)
staff training, review documented/retained
all staff required to sign Security Policy

Policy:

Practice will select a Security Risk Officer (SRO) annually.
SRO will conduct a monthly Security Risk Assessment and Safe Guards Review (physical, administrative, technical, policy/procedural). Security Risk Assessment and Safe Guards may be updated, as needed.
**SRO will conduct Security Risk Assessment Tool annually to (1) highlight vulnerabilities and (2) create an action plan to address vulnerabilities.
SRO will investigate any issues and violations. Each issue and violation will be documented.
SRO will onboard/train new staff with an emphasis on cultivating a culture of protecting Patient Health Information (PHI). New staff will be required to sign a Business Associate Agreement that highlights individuals’ responsibility to protect Patient Health information (PHI).
SRO will routinely retrain staff by reviewing medical practice’s obligations to protecting Patient Health Information (PHI) and individuals’ responsibilities as per Business Associate Agreement.
SRO will ensure that medical practice is adhering to and compliant with all local and federal guidelines.

Col 1: **ACTION ITEM: complete Security Risk Analysis (SRA) Tool here . Ensure medical practice is compliant on all issues/questions. Address any deficiencies. Document all results, actions performed, actions required. Step 1. Download SRA Tool. Step 2. Complete 156 questions. Step 3. Run tool and print PDF/Excel document to place in 2019 MIPS Binder. HIPAA Security Risk Analysis Tool Completion Date: _______________________

Security Risk Office: _______________________

MIPS Security Risk Analysis Implementation Date: _______________________

Security Risk Analysis conducted monthly