Healthcare IT Consulting By Jill Lowe, Healthcare Account Manager

When most of us first did a HIPAA Security Risk Analysis, it was not due to altruistic security worry. Nope, it was required for Meaningful Use Attestation. And since not having an SRA is the number one reason for failing a Medicare audit, it’s a darn good thing to have. But if we did a thorough assessment, it did indeed identify items to remediate and improve ePHI security.


As EMRs, Patient Portals and Technologies evolve, there are more opportunities for security risks to slip in. Which leads to including more in the SRA, and additional ways to improve ePHI security are discovered. Of course, the size of the practice and number of locations also adds to the complexity of the SRA. There is definitely not a one size fits all static template.

And then there are remediation challenges. Persuading everyone to get on board with implementing remediation items is no simple task. Let’s face it, additional security often means increased time. Most started with the basics, like implementing Active Directory and EMR Policy, including Password Complexity. Practitioners were just thrilled to change their 1234 password to one with eight characters, including letters upper case, lower case and number or character. They positively jumped for joy when you said you want to force passwords changed every 90 days, with no repeat passwords. For those who couldn’t get their practitioners to agree to password complexity, they had the additional work of researching alternative solutions.

Since your HIPAA Security Risk Analysis is constantly evolving, I feel best practice is treating it as a living document, with Remediation Summary and Timeline, and Revision History Sections. Saving a version for each year that you and your IT Partner regularly assess, identify and remediate items and update the SRA.

A plus is that if there are no major changes in the practice EMR/PM or locations, some sections will remain relatively constant. Criticality Analysis and Threat and Vulnerability Matrix are two.

Tools:  Security Assessment Tool and Videos +  Guidance on Risk Analysis

About Jill // Jill has over twenty years of experience working in the trenches of healthcare and is our clients’ fiercest advocate. She understands intimately the day to day challenges that our practices face and knows how to best advise and support them in this ever-changing, technology driven climate.