Security Risk Analysis | Kentucky REC

Security Risk Analysis

A Security Risk Analysis is an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic patient health information (ePHI). The HIPAA Security Rule requires all covered entities to conduct a Security Risk Analysis and states the Risk Analysis should be an ongoing process. Once you have completed the Risk Analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels. (45 CFR 164.308(a)(1)(ii)).

HIPAA Security Rule

The HIPAA Security Rule establishes national standards to protect individuals’ health information that is created, received, used, or maintained in electronic form by a covered entity (also known as ePHI). The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.

Contact the Kentucky REC today for more information on how we can help with your security risk analysis.

Covered Entity

A covered entity is one of the following:

A Health Care Provider	A Health Plan	A Health Care Clearinghouse
This includes providers such as: Doctors Clinics Psychologists Dentists Chiropractors Nursing Homes Pharmacies ...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.	This includes: Health insurance companies HMOs Company health plans Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs	This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

Covered Entity Guidance Tool

Protecting patients’ ePHI is as important as protecting their paper PHI. An SRA helps to identify vulnerabilities and threats surrounding your EHR and other IT systems containing and transmitting ePHI. Once identified, you will need to mitigate the vulnerabilities to reasonable level.

Please note all providers who are covered entities under HIPAA are required to perform a Security Risk Analysis.

Use the following tool to help determine if you are a Covered Entity

Why Do I Need an SRA?

EHR Incentive Program SRA Guidance

Quality Payment Programs/MIPS Guidance

KENTUCKY REC HIPAA NEWS

HIPAA WEBINAR JULY 9: VIRTUAL SRA 2020 – SOCIAL DISTANCING OPTION FOR STAYING HIPAA COMPLIANT

May 27, 2020

Webinar - Virtual SRA 2020: The Social Distancing Option for Staying HIPAA Compliant Thursday, July 9, 2020 12:00 PM ET The Kentucky REC is here to assist you with completing your Security Risk Analysis and ensure organizations stay compliant under the HIPAA...

KHIE & ANTHEM BCBS MEDICAID INCENTIVE OPPORTUNITY

Apr 14, 2020

Kentucky Health Information Exchange Incentive Opportunity Announced! In collaboration with the Department for Medicaid Services (DMS) and the Kentucky Health Information Exchange (KHIE), Anthem Blue Cross and Blue Shield Medicaid (Anthem) is offering participating...

ANNOUNCING KENTUCKY REC ANNUAL HEALTHCARE CONFERENCES! AUGUST AND FALL 2020

Apr 14, 2020

Join the Kentucky Regional Extension Center at our 2020 Annual Healthcare Conferences! This year, our focus is on Navigating the Future. During the conference we will explore a variety of useful topics to help your practice address the challenges of today’s healthcare...

KENTUCKY REGIONAL EXTENSION CENTER

Kentucky REC Services

Upcoming Events

Stay up-to-date