7 Reasons Why Your HIPAA SRA Is Taking Too Much Time

Almost all healthcare organizations in the United States – large and small – are required by the Federal Government to complete an annual HIPAA Security Risk Assessment.  The purpose is to certify that they are taking adequate steps to protect sensitive patient health information that is in their care.

Unfortunately, many organizations struggle to complete their SRA.  As a result, they wait until the end of the year and then get caught up in a December rush during the holidays or simply decide to put off the SRA and “take their chances”.

There are plenty of reasons why organizations struggle.  We have outlined the leading causes we have seen having done over 10,000 SRAs with clients ranging from single-physician medical practices to very large health systems and health insurers. Additionally, we will provide ideas on how to make your annual SRA an easier process.

Resource Constraints

Most organizations are very cost-conscious and keep departments deemed as cost-centers at very low staffing levels. Add to this, the shortage of qualified security IT personnel and the challenge of retaining them and you have a perfect storm.

Our most recent survey on managing cybersecurity priorities revealed that 85% of our clients struggle with this issue.

The impact of this problem is that the person responsible for completing the SRA has to carry more of the burden of understanding the process and how to engage the organization’s stakeholders in providing their needed contribution.

Competing Priorities

Performing an SRA is a preventive measure. As a risk reduction exercise, it does actually pay dividends over time but is largely deemed to be a “cost item”; unless you are trying to get Cyber Insurance or have experienced a data breach!

There is no shortage of alternative projects that compete for the team’s time. Furthermore, it falls upon the person responsible for completing the SRA to organize and delegate who needs to make the required contributions and keep them on track.

A tall order for many teams leads to them falling further behind and not being efficient with their time.

Dated Technology and Tools

The HIPAA SRA covers technical, administrative, and physical controls to protect patient health information from being improperly disclosed.

In many cases, clients come to us with spreadsheets and lists of tasks, systems, and policies. All of this information is cumbersome to manage and organize, let alone assess and score against the required levels of HIPAA compliance.

Challenges Identifying Hidden Vulnerabilities and Risk

The information needed to complete an SRA is a combination of dynamic electronically scanned data, information systems configuration and administrative controls, static policies and procedures, and operational compliance procedures (e.g. annual HIPAA training).

Putting all of this together and seeing how your organization stacks up across the required areas is a challenging task.  Furthermore, depending on the age and status of your EMR/EHR platform, there are several other hidden risks that may be missed during the technical controls phase of your assessment.

An easy way to collect and assemble all forms of this data is helpful to clearly see where more effort is needed and how to focus the team’s time.

Understanding the Regulations

Patient data protection under HIPAA is a very clear requirement spelled out in the Federal Government’s code of regulations – CFR 164.308(a) (1) and CFR 164.524 (security and privacy, respectively).

If your team does not have experience in understanding how your actual posture compares against these regulations, it will take an inordinate amount of time and stress trying to assess your open risks and put together a practical improvement plan.

Furthermore, many clients are afraid that they will not “pass” and decide to drop the effort entirely. BIG mistake! The Federal Government is trying to foster a culture of compliance; you have to start somewhere and take continuous steps to reduce risk by closing gaps in your ability to protect health information.

There are numerous examples where organizations have been levied significantly higher fines simply because they failed to make improvements over time.

Insufficient Visibility of People and Business Process Change

Organizations are in a constant state of flux. The Security Risk Assessment has to be performed annually or when significant changes are made to your organization or technical infrastructure.

Keeping all stakeholders involved with minimal friction yet with organized collaboration is important to expose the kind of changes that could impact your SRA.

Lack of Engagement

This is an internal and external issue. Internally, you need the help of busy people to provide specific contributions to the collection of data and assessment of its impact on your security posture. Externally, you have to ensure that all of your third-party vendors who interact with PHI are also HIPAA compliant and are staying that way.

The number of vendors that touch your PHI can quickly grow – our client histories indicate that a mid-sized hospital is likely to have at least 300 vendors who need to be monitored.  A Business Associate Agreement (BAA) will address your legal liability but not necessarily your regulatory liability.

Based on your organization’s size and technical footprint, it may make sense to automate the monitoring of your third parties and their compliance.

Conclusion: How to Speed Up Your HIPAA SRA

So how do you speed things up and complete your SRA with a minimum of wasted motion?

Use an automated platform that helps you collect information, scores your results, automates collaboration with your stakeholders, provides an improvement (remediation) plan, and shows you how you compare to others (benchmarking).

Additionally, work with an experienced security professional who can set up the platform and guide your team through the process the first time.  This will help your organization gain experience and understanding to get and stay compliant with a minimal amount of effort.