Conducting HIPAA Risk Assessments
As the Practice Manager, you are responsible for ensuring that risk assessments are performed regularly.
Regular risk assessments are required under the HIPAA Security Rule. Such assessments will help ensure that your practice is in compliance with current federal regulations. The information gathered from the risk assessment will assist you in identifying vulnerabilities, mitigating potential risk and ensuring compliance with the Security Rule.
As the Practice Manager, you are responsible for ensuring that risk assessments are performed regularly. It is best to develop a schedule for conducting the assessments. Avoid the trap of, “We’ll do it when we have time,” because you will never have time unless you make it a priority. You can perform the assessment yourself, assign a knowledgeable staff member or utilize the services of an outside HIPAA compliance consultant.
The Security Rule is enforced by the Department of Health and Human Services Office for Civil Rights or OCR. OCR has not identified a single method or best practice that guarantees compliance. However, they offer a Security Risk Assessment Tool that can help small- to medium-sized offices conduct and document a thorough risk assessment.
What to include in a risk assessment
- Where is electronic protected health information (ePHI) created, stored, received, maintained or transmitted by your practice?
- What devices store or temporarily interact with ePHI? This includes desktops, laptops, tablets, mobile devices and medical devices. Don’t forget that all-in-one printers can store ePHI that is sent or received via fax.
- What are the external exposures of ePHI? Do vendors or consultants have access to ePHI? Check on their current security practices to ensure they are up-to-date.
- What are the potential threats to the devices and systems that contain ePHI? One of the most common threats may come from staff members who fail to recognize phishing email that could allow malware onto your network. Unauthorized access and the theft of an employee’s mobile device are other common threats. Be sure to include the potential for disasters such as fires or floods as well as environmental threats, such as power failures.
- What is the potential for each identified threat to affect the confidentiality, availability and integrity of your practice’s ePHI? Assign risk levels for identified threats and vulnerabilities. Where appropriate, develop mitigation procedures, such as increased employee training.
- What security measures are in place to reduce risk and safeguard ePHI? Assess and document the administrative, physical and technical safeguards your practice uses to protect ePHI. Indicate whether each safeguard has been implemented and is configured and used properly.
Following are examples of each type of safeguard. For a comprehensive checklist, please review the OCR Security Risk Assessment Tool. A link can be found at the end of this article.
Examples of administrative safeguards
- Conducting periodic training programs to educate staff about how to protect ePHI and the methods hackers use to try to gain access to your systems.
- Evaluating the level of access each staff member needs and ensuring unnecessary access is not provided.
- Setting a schedule for conducting security reassessments.
- Establishing a policy for staff to report breaches. This may include completing a form documenting pertinent details of a breach, such as when it occurred, what devices were involved, what patient information may have been compromised and whether the breach is ongoing or was a one-time occurrence.
- Maintaining and following an incident response plan. A good plan will include a risk-of-harm analysis that evaluates whether the incident is a reportable breach.
Examples of physical safeguards
- Ensuring the security of your facility in general and your computer equipment in particular. If an after-hours cleaning crew or others have access to your office, verify the security of all devices that contain or provide access to ePHI.
- Securing mobile devices in a locked location and developing a system for tracking them. If appropriate, maintain a sign out log for employees who take mobile devices offsite. Tag all mobile devices with identifiers that allow for location tracking and remote wiping in the event that they are lost or stolen.
- Ensuring that visitors and unauthorized staff cannot view or access computers or mobile devices. Monitors located at the front desk should be shielded from individuals in the waiting area.
Examples of technical safeguards
- Controlling access to EHR and patient email systems using secure passwords. Computers located in exam rooms should remind staff to log off before leaving the room or automatically log off after a few minutes of inactivity.
- Determining the best way to protect patient ePHI from unauthorized transmission or interception. Unless someone on your staff is tech savvy, you may want to consult with an IT specialist to ensure that ePHI is securely encrypted using the most up-to-date standards.
- Developing a schedule for checking computers and mobile devices for viruses, malware or applications that could put data at risk. This includes ensuring virus protection programs are up-to-date.
- Ensuring that staff members who are authorized to work from home are using a secure network and that devices use the necessary encryption.
Conducting HIPAA risk assessments as required under the HIPAA Security Rule will protect your patients’ information and increase the likelihood that your practice will avoid breaches of that information.
HealthIT.gov. Security Risk Assessment Tool. Accessed Oct. 15, 2020. https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
HIPAA Compliance Checklist. HIPAA Journal (includes COVID-19 disclosure information). Accessed Oct. 15, 2020. https://www.hipaajournal.com/hipaa-compliance-checklist/
Henley, Jeremy. “Cybersecurity Risk Assessments Are Now More Important Than Ever.” Medical Liability Monitor. Sept. 2020 Vol45, No. 9.