National Health IT Week: Post-Presentation Q&A

In the effort to carry on the theme for National Health IT Week, InfoGard’s technical staff has committed to providing answers to post-presentation questions on “10 Steps to Protect My Covered Entity From Breach” posted on October 6, 2015. Additional Q&A’s will be added to the existing list. Check back for updates periodically. To submit additional questions, email

1. How often should a covered entity conduct an SRA?

An SRA should be conducted commensurate with the changing environment. The more change occurs in the physical environment, policies, and staff, the greater the possibility of new risks emerging, and existing risks becoming more severe. With a rapidly changing environment you might consider an SRA every quarter; with a stable environment every three (3) years may be sufficient.

2. What are the benefits of a third-party risk assessment compared to internally conducted SRAs?

Third-party risk assessments can offer industry-leading expertise. Additionally, they are independent from any employee prejudices of the environment and provide a fresh set of eyes. However, having internal staff members trained can provide cost savings as well as rapid responses to new threats or situations.

3. Should I contract out everything to avoid dealing with all the security requirements myself?

This can be a great solution since some covered entities have many clients and already have experience managing EPHI as required by HIPAA and conducting SRAs. However, many businesses are not. When subcontracting IT services, such as hosting your EHR offsite, ensure that the business associate agreement (BAA) includes all security items for which the business associate (BA) is responsible. Additionally, obtain evidence they are actually doing what is required. While you may be able to avoid direct penalties from OCR by this method, when a breach occurs there still might be damage to your reputation, high staff turnover, and indirect financial cost that often amounts to six (6) figures even for small clinics.

4. I have an employee who is HIPAA certified; does this offer me security?

Security is only as deep as the individual’s expertise. There is no government backed certification program, and all certifications are simply private guarantees. Sitting down with a HIPAA lawyer and other HIPAA security experts at least once can make a huge difference in the security of the site.

5. Do I need to have an employee who is an expert in hacking to avoid a breach?

No. There are many tools available to secure your network and IT equipment which require only a general IT background. Consider purchasing some of the industry tools to help facilitate security. Often times installing these tools will help educate your staff on security in the process.

Leave a Reply