It’s that time of year again! The air is crisp, the leaves are changing colors and Halloween is right around the corner. In healthcare, the season change also provides us with another reminder – have we completed our annual Security Risk Analysis before year-end?
In 1915, W. E. Hill published the famous cartoon “My Wife and Mother-in-Law” with the caption, “They both are in this picture — find them!” This optical illusion is known for its two distinctive faces. When most look at this image, they immediately make out one of the faces. Which one do you see?
Similarly, when you look at your Security Risk Analysis (SRA) documentation, do others see what you see, or is their impression different than yours? HIPAA tells us that an annual SRA is required. In the past, many healthcare organizations have looked at the SRA as just another task to check off a checklist to be compliant. However, in light of recent Office of Civil Rights (OCR) audits and fines, the Security Risk Analysis cannot be devalued. The SRA is meant to serve as an evaluation of your compliance with various administrative, physical and technical safeguards pertaining to both the Privacy and Security portions of HIPAA. Unfortunately, this process is not “black or white.” It is notoriously vague, sometimes creating different impressions of what is acceptable for a strong SRA. As such, healthcare organizations are often confused or do not appropriately document what should be captured in the SRA. Organizations can often fill-in-the-blanks verbally if asked a question, but many times they overlook capturing those small — but important — details on paper where it really matters.
Does your Security Risk Analysis documentation tell the whole story? Or will a bystander (like the OCR) be left to make their own impression of the image you’ve created? Utilize a second set of experienced eyes to know if everyone will have the same impression relying on the snapshot of your documentation. Some third-parties are extremely proficient in HIPAA and have an ability to “read between the lines.” Some can help you capture those verbal responses and ensure your documentation is complete in case the OCR does come knocking at your door. Don’t leave your Security Risk Analysis documentation up to interpretation, verify that your SRA accurately and comprehensively captures your organization’s Policies and Procedures.
By the way, if you are having trouble with the above image, the “wife” in the cartoon can be spotted by looking to find her eyelashes and nose on the left side of the image. Imagine her chin is a nose and her necklace is a mouth to spot the “mother-in-law.” Two different perceptions from one image!
———–
Need help completing your Security Risk Analysis for 2016? ScanSTAT provides a comprehensive HIPAA compliance portal solution which includes a SRA. Contact Kathryn Ayers Wickenhauser at Kathryn.Wickenhauser@ScanSTATTechnologies.com for a customized quote based on your total number of employees (including providers).