South Florida Hospital News
Monday May 25, 2020

test 2

November 2014 - Volume 11 - Issue 5




Security Risk Assessments: Helping Achieve Compliance

Anyone in the health care industry who deals with HIPAA compliance or is in the process of attesting for Meaningful Use is probably very familiar with the requirement for needing to conduct a security risk assessment (SRA) in one’s organization. The purpose of the SRA is to analyze the administrative, physical and technical safeguards that the organization has in place to protect the security of data including Protected Health Information (PHI) and identify areas where weaknesses are present.
Many organizations do not place enough emphasis on the SRA and merely view it as something that needs to be done for compliance. When conducting a thorough and concise security risk assessment, organizations can identify weak areas that might be preventing compliance and create a basis for a sound security risk management program.
Here is what companies need to do to conduct a security risk assessment:
• Conduct an SRA Based Upon Compliance Requirements
Health and Human Services’ (HHS) Office of Civil Rights (OCR) has outlined every requirement that is needed in order to be HIPAA compliant ( Use this as a base for conducting the SRA. OCR and the Office of the National Coordinator for Health Information Technology also teamed up and developed an SRA tool that is meant for small- to medium-sized providers to aid in identifying areas of concern that should be included in a risk assessment (
• Evaluate Identified Risks
Determine the likelihood and the impact of identified risks to focus on the critical areas where mitigating controls are required. This will also help build a risk matrix where risks can be graphed for a visual representation.
• Identify and Map Existing Weaknesses and Mitigating Controls
This step helps organizations discover where their weaknesses are, allowing them to analyze mitigating controls and to map them to insure that identified risks are addressed. After mapping is complete, organizations will have a clear picture of where mitigating controls need to be placed.
• Propose Action Plans
New mitigating security controls should have implementation plans and completion dates. Existing controls that are identified as not being effective should be revised. Focus on solutions that are realistic, sustainable and effective.
• Review and Update SRA
It is important to review and update the SRA after mitigating controls have been implemented in order to have a good representation of risks that are still present in the organization. The risk assessment should be reviewed yearly or more frequently, whenever a change is being planned or whenever a significant change has occurred in the organization.
For additional information or assistance, contact Heather Bearfield at or Mark Fromberg at at Marcum LLP at (954) 320-8000.
Share |