We had a formal risk assessment done by a third party last year that was very informative but also pretty costly.
Is there a defined process to meet compliance?
I was thinking about having that consultant just do a refresh and focus on the areas that we didn't score as high. I'd be willing to forego and use this template (or similar) if that meets requirements.
Is there a standard for this?
Attached is a sample SRA template in response to Joy's request.
Thanks all for the feedback. We utilized the CMS risk assessment tool and I am glad I did as it is comprehensive and highlights the weaknesses and strengths in policy and procedures.
Anne, Would you happen to have a template you could share with us for small practices?
We are a small practice and have developed our internal compliance infrastructure over the past 6 years, including internal policies and procedures, written physical, technical and administrative safeguards and employee training. We also use the CMS online risk assessment tool as an additional check- I am happy to talk via phone for any specific questions.
At the practice where I previously worked, we outsourced the security risk assessment and analysis. It involved a significant amount of work by me and our staff (especially the IT staff). There are a variety of services out there, and the one we used is called HIPAA ONE. I am not endorsing them necessarily, but they might be worth checking out.
MIPS requires an annual security risk assessment. Is anyone using a risk analysis tool different from suggested by CMS? If so, do you mind sharing it. And also if anyone willing to share HIPAA Security Policy for small medical group.
Any help is much appreciated.
New York Medical Group Management Association, Inc.EP II 11350 McCormick Road, Suite 904 Hunt Valley, MD. 21031P: 410-527-0780 E: firstname.lastname@example.org© 2015 - 2018 New York Medical Group Management Association, Inc.