The Center of HIPAA Security – The Risk Assessment

At the very core of HIPAA security and protecting patient information is the infamous risk assessment. Under the HIPAA Security Rule and Meaningful Use requirements, all practices must conduct a risk assessment. This is meant to help identify any potential security risks to patient information so that practices can improve their security mechanisms to limit any risk factors.

Understanding exactly what a risk assessment is and how to conduct one is a truly invaluable tool. Security breaches can not only cause patient unease and time lost, but HIPAA fines can be an extreme blow if the practice is not prepared.

At its center, the risk assessment process is largely a cycle. It’s a continuing process that requires conscious and constant improvement to a system that can never be perfect. This is why it can be helpful for everyone in the practice, from nurses to the billing staff, to know the basics of a risk assessment, because a breach can occur at many different steps in the medical systems. It is those that work closely with each system that may be able to find flaws and come up with ideas on how to improve security.

Here is the risk assessment process in a nutshell: five easy steps that are sure to lead your practice into a safer, more secure, and a more HIPAA compliant environment.

The Five Steps of Conducting a Risk Assessment

1. Determine where and how your patient’s information is stored – Each different type of patient storage has its own security risks to keep in mind. For example, paper information could be destroyed by a flood or a fire, but an EMR that is stored on an external server would be safe. However, an EMR has certain cyber-security risks, while paper information requires physical access. These trade-offs and differences need to be taken into consideration and are why determining where exactly the information is stored is important.
2. Determine any possible ways for information to be breached – Whether it be physical or digital, intentional or accidental, any possible threat to security must be accounted for. Common threats include: hacking into an EMR and stealing patient information, theft of devices, improper disposal of records, email breaches, dishonest employees, and even gossip. Determining these risks is the key to creating a well-developed risk assessment.
3. Determine your practice’s current security safeguards – After you’ve looked at security risks, it is important to identify what your practice is doing to actively protect patient information. This includes any type of antivirus, password rotations, secure emails, server protections, EMR back-ups, or the use of an encryption software. This is the time to determine everything you and your practice is doing to prevent any possible risk.
4. Identify the risk factor of each potential breach (step 2) – Determining the risk factor of a certain breach is done in two steps: First, determine how likely it is that this breach will actually occur, and second, determine the impact it would have on the practice as a whole. Determining the risk factors of a practice is the meat of the risk assessment; it is where you really analyze the holes in your security system. If the risk level of something is relatively high, it is important to start looking at ways to decrease it.
5. Determine what implementations can be put in place to lower these risk factors – Whether it’s tackling the issue head-on and making sure it’s impossible for the breach to ever occur, or just putting safeguards in place to lessen its impact, these are both ways of lowering your risk factors, which is the ultimate goal of the risk assessment.

With these five steps, the practice can actively work to increase the security of patient’s records. Remember, the risk assessment is more than just an action, it is a cycle that can be used to constantly improve upon itself and to grow a practice into something that can be depended on as safe and secure.

For information on the risk assessment, or if you have any questions regarding security and HIPAA compliance, contact us.

SHARE IT: