Question: As a very small healthcare provider, do we really need to conduct an in-depth risk analysis?
Answer: The idea that a security risk analysis is optional for small providers is a myth, according to the HHS Office of the National Coordinator for Health Information Technology (ONC). All providers who qualify as covered entities (CEs) under HIPAA must perform a risk analysis. And you must conduct one if you want to receive EHR incentive payments.
You can perform the risk analysis yourself using self-help tools; you don’t necessarily need to outsource the task, ONC says. “However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”
Remember: You don’t need to use any specific method, ONC notes. “A risk analysis can be performed in countless ways.” To get started, try using the Security Risk Assessment Tool at http://www.healthit.gov/providers-professionals/security-risk-assessment-tool
.