Compliance & Cybersecurity: 6-Week Assessment

Healthcare providers that take part in the Merit-Based Incentive Payment System (MIPS) must comply with the requirement to protect patient information by performing an annual SRA - security risk analysis (per 45 CFR 164.308(a)(1)) – the HIPAA Security Rule. Failure to do so could result in a reduction in reimbursements and negative impact to your reputation.

The first and foundational step of completing the SRA is to create the organization’s PHI (Protected Health Information) inventory – where PHI lives (ex: Azure, COLO, server on site, device, healthcare software, etc.). Based on the PHI inventory ClearDATA recommends which workloads: 1) should move into Azure, 2) could move into Azure and, 3) should not be in Azure.

Examples of “should be in Azure” are all back-ups, disaster recovery, business continuity, etc.). Examples of “could move to the cloud” are ancillary software apps/tools used for EMR, billing, etc. Examples of “should not move to the cloud” are high compute pharmaceutical studies. Workloads that should not move the cloud then require a review of Microsoft licensing, firewalls, etc., to ensure the PHI is secure.

The final SRA report is delivered to the C-Suite executives who have fiduciary responsibility for HIPAA compliance. The presentation of the final SRA report includes a HIPAA risk remediation plan that identifies/Gantt charts candidate workloads to move to Azure with an agreed-upon time schedule.

Why should you choose ClearDATA SRA?

• ClearDATA SRA follows the Office of Civil Rights (OCR) Guidance Document for completing the SRA
• ClearDATA SRA meets the Macra/MIPS Advancing Care requirement
• In the event of an OCR “Reportable Breach”, your organization’s latest SRA will be reviewed by the OCR. With a ClearDATA SRA, we stand beside you.
• ClearDATA has performed hundreds of SRA – from Integrated Delivery Networks with dozens of clinics to standalone medical centers and clinics.