Healthcare Security Risk Analysis Myths Debunked

Listed below are five of the most common myths regarding security risk analysis.

Myth #1: It is optional for small providers Truth: All HIPAA-covered entities must perform a risk analysis. The same applies to providers who want to receive Electronic Health Record (EHR) incentive payments.

Myth #2: Installing a certified EHR fulfills the Meaningful Use (MU) requirement Truth: Performing security risk analysis is a must even if there is a certified EHR. The MU requirement covers all PHI you maintain, not just what is in the EHR.

Myth #3: The EHR vendor takes care of all privacy and security matters Truth: The EHR vendor may provide information, support and training on the privacy and security matters of the product, but they are not responsible for making the product compliant with privacy/security regulations. 

Myth #4: Security risk analysis needs to focus only on the EHR Truth: You must analyze all electronic devices that handle PHI and not just the EHR. 

Myth #5: Risk analysis needs to be conducted just once Truth: To comply with the regulations, you must constantly ramp up your security posture. This includes conducting regular risk analysis.

If you have read this far, chances are you want to ramp up your security and compliance posture through continual security risk analysis. 

If you’re worried about where to start, SharkEye can help. It’s usually easier and more effective to collaborate with an experienced partner like us for risk analysis. To get started, contact us now to request a consultation.