877.334.8512 |      

EHR and practice management for mental / behavioral health

Top 10 Myths of HIPAA Security Risk Analysis

PIMSY software for inpatient services shares common Security Risk Analysis (SRA) myths

by Donna Koger, 3.3.16

As with any new program or regulation, there may be misinformation making the rounds about Security Risk Analysis (SRA). The following is a top 10 list distinguishing fact from fiction.

1. The security risk analysis is optional for small providers

False. All providers who are “covered entities” (CEs) under HIPAA are required to perform a risk analysis. In addition, all providers who are participating in the Meaningful Use (MU), aka EHR incentive program, must conduct a risk analysis.

2. Simply installing a certified EHR fulfills the SRA MU requirement

False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information (PHI) you maintain, not just what is in your EHR.

3. My EHR vendor took care of everything I need to do about privacy and security

False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EMR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

4. I have to outsource the security risk analysis

False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional SRA that will stand up to a compliance review requires expert knowledge that could be obtained through services of an experienced outside professional.

There are a couple of free tools available to assist you while conducting a SRA:
1. ONC Checklist Tool
2. NIST HSR Checklist Tool

5. A checklist will suffice for the risk analysis requirement

False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.

6. There is a specific risk analysis method that I must follow

False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure electronic protected health information (e-PHI).

7. My security risk analysis only needs to look at my EHR

False. Review all electronic devices that store, capture, or modify e-PHI. Include your EMR hardware + software - and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.

8. I only need to do a risk analysis once

False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. For more on reassessing your security practices, please see the Reassessing Your Security Practice in a Health IT Environment.

9. Before I attest for an EHR incentive program, I must fully mitigate all risks

False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process. If a risk exists but cannot be mitigated, the reason must be fully documented.

10. Each year, I’ll have to completely redo my security risk analysis

False. Perform the full security risk analysis as you adopt an EMR or as a baseline. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks.

Sources Include:


donna-k-2-S Donna Koger is currently the HIPAA Compliance Officer and materials developer for software training and support at Smoky Mountain Information Systems, home of PIMSY EHR. Ms. Koger is also a regular contributor to the PIMSY EHR Blog.


Kudos from Clients

  • Seth H.

    “PIMSY more than pays for itself by streamlining my office, improving efficiency and reducing billing times. I would recommend PIMSY to anyone looking for a good EMR company that will help you implement its program and help you with any questions you have along the way.”

    ~ Seth H., Business Owner

  • Karen B.

    “Love PIMSY! So much quicker to complete notes and easier for everyone working with clients to know current authorizations and track units.”

    ~ Karen B., Therapist

  • Dr. Carmen L.

    “I am extremely appreciative and am so glad I decided to go with PIMSY versus the other options I was considering. I was singing your praises to a colleague of mine today who is feeling overwhelmed with her paper process. I highly recommend all of you.”

    ~ Dr. Carmen L., Program Director

  • Kim T.

    “We are now functioning at a 50% faster recovery rate for money and a 50% lower denial rate. You should really give the PIMSY team time to demonstrate for you personally.”

    ~ Kim T., Business Director

Subscribe To Our Newsletter

Subscribe to the PIMSY newsletter
What topics are you most interested in?