Skip Navigation
Contact Us
Other Articles

MetaStar’s Security Risk Assessment: Safeguarding Data, Supporting Care

March 31, 2026

The year: 1996. The scene: The White House. Then-President Bill Clinton signs into law the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Four years later, the famous daughter of HIPAA was born: the Privacy Rule. Created by the U.S. Department of Health and Human Services (HHS), most healthcare professionals know this rule that outlines when and to whom identifiable patient data can be shared. 

In 2003, another child of HIPAA was born. The child looked like its older sister, as it was also created by the HHS. However, it covers how healthcare organizations store electronic personal health information (ePHI). It was named the Security Rule. Despite his importance, he lived in the shadow of his better-known sibling for years. “But where are you storing that data?” he’d shout, but no one paid him any attention. 

Then, when hackers began holding healthcare data for ransom and exposing the ePHI of millions of patients, the Security Rule sighed, got out of bed, and laced up its shoes. The world needed him now, and he was ready to remind people how to keep ePHI secure, one security risk assessment at a time.   

The Benefits of Secure Data Storage

HIPAA requires healthcare organizations, healthcare insurance companies, healthcare clearinghouses, and third-party business associates who handle ePHI perform a security risk assessment (SRA). While there is no specific timeframe, most organizations that perform an SRA do so yearly. (The time frame may change in a future security rule update.)  

With MetaStar, an SRA is “going to identify risks and vulnerabilities that may affect the security of electronic personal health information. It also supports the development of a risk mitigation plan for addressing those identified risks and vulnerabilities,” explained Penny Bartelt, behavioral health project specialist with the Healthcare Transformation Department at MetaStar. 

According to The HIPAA Journal, 87% of data breaches are preventable with proper training and security measures. The SRA will get an organization thinking about data security: what exists, what needs to be updated, and what needs to be created. It’s better to have them ready or be actively working on them in case the HHS Office for Civil Rights (OCR) decides to stop by for an investigation. 

Security Risk Assessment, Meta-Star Style

MetaStar’s SRA steps are simple:

  1. Identify and gather responsible parties.
  2. Locate current documentation, whether electronic or on paper.
  3. Hold a kick-off meeting with MetaStar guiding the way.
  4. Answer questions about security policies and procedures and document answers using MetaStar’s SRA software.
  5. Conduct any necessary follow-ups.
  6. Celebrate!

The SRA “captures the organization’s current state—it’s a snapshot in time,” explained Bartelt. The kick-off meeting lasts about four hours. During the assessment, organizations evaluate policies and procedures related to the secure storage of ePHI. An additional two to four hours can be spent on follow-up. 

Assessment questions may cover topics like how to add, remove, or change a software user; how to make sure only the right people can access rooms with ePHI; setting computers to log off automatically when not in use; when and how to use data encryption; whether ePHI can be used on personal devices, and if so, by whom and how; and what actions to take if a breach happens. 

MetaStar’s proprietary SRA tool is a place for organizations to keep all their SRA data year after year. The yes/no questions offer explanations and guidance, so users know exactly what they need to answer with confidence. Additionally, MetaStar’s experienced team can walk through the questions with the organization’s SRA team. The software, based on the one created by the Office of the National Coordinator for Health IT (ONC) in collaboration with the OCR, has places for notes that can make risk mitigation easier. Reports from the SRA tool can show incomplete or flagged items to use as follow-ups. The best part of MetaStar’s SRA tool? When an organization clicks “complete,” confetti explodes on the screen. “It’s so fun,” said Bartelt. “I always say, ‘Hey, everyone—wait for it! You earned this!'” 

Graphic title: Quick Improvements to Strengthen and Protect PHI Text of graphic is in bullet points. Adjust computer screens to prevent hallway visibility. Close doors to reduce overheard or visible information. Lock unattended workstations. Turn printed material with PHI upside down. Use sound machines to protect privacy. Remove written passwords near computers.

Risks: Ready for Mitigation

“You don’t do your SRA, put it on a shelf, and think about that in a year or two. You need to act on it,” said Bartelt. That’s where risk mitigation comes in. Using the final report from the SRA, risk mitigation starts by calculating risk ratings for each item marked “no.” This allows organizations to prioritize their high-risk, high-impact areas first. Then, they can prioritize next steps using the risk ratings. Next steps can include creating policies and procedures, conducting training and reviews, and fostering a culture of security within the organization. To help with that work, Bartelt’s team made sample policy and procedure documents for organizations, which have saved them time and money. 

Bartelt finds organizations that promote a culture of security, privacy, and follow-through fare the best when it comes to ePHI security. She told of a company that had one risk to mitigate this year because they prioritized security in their workplace culture. “We have seen that if you make data security and privacy a priority and part of regular meetings, that list of risks to mitigate gets shorter and shorter,” she explained.  

Don’t Become A Warning Story For Others 

The biggest ePHI data breach in history happened in 2024, exposing the ePHI of about one-third of patients in America. While the ORC hasn’t finished its investigation, the breach has been wildly expensive for the organization. All told, they will be paying well over $3.9 million because they didn’t require multi-factor authorization on employee remote access portals. Hackers found valid login credentials and disrupted electronic service for an organization that processes approximately 50% of medical claims in the United States.

An SRA may have identified this vulnerability, and risk mitigation could have set up a plan to address it. Healthcare organizations must ensure ePHI is kept safe and secure. The patients they serve deserve security policies and procedures that are appropriate, up-to-date, and enforced. In the words of Bartelt, “Any organization that has done an SRA is a success story because it means security and risk are important to them.” 

 

Starring…

Penny Bartelt has been at MetaStar for four and a half years. Penny is especially proud of the security policy and the business continuity templates she created. Customers have raved about how much they love them. She’s delighted that her work is helping organizations think about security and risk mitigation.

Kate Schultz is a freelance writer and standardized patient who formerly worked as a stage manager, high school English teacher, and software tester. She and her husband performed a security risk assessment on their bathroom and decided to enhance safety measures. It’s their first home remodel project, and, depending on how it goes, it may be their only home remodel project.

Learn how we can help you attain your quality improvement goals.

Contact Us Today