You’re probably familiar with the fact that your medical practice must complete an accurate HIPAA risk assessment at least once a year. But did you know the cost of doing it right is small compared to the cost of getting it wrong?
There are civil and criminal penalties for noncompliance -- fines of $100 to $50,000 per violation, for example, and jail time for knowingly violating HIPAA rules.
Here are some things every medical practice needs to know about HIPAA risk assessments:
What is a HIPAA Risk Assessment?
“An organization's Risk Analysis under the HIPAA Security Rule is an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the organization,” says David Harlow, principal of The Harlow Group.
It’s tailored to the size and environment of the organization, which determines the nature of the risks to PHI and the types of protections that must be put in place, Harlow says.
“Conducting a Risk Analysis is critical to compliance with the Security Rule because it contains 'addressable' requirements,” Harlow explains. “They are not mandatory, but a covered entity or business associate needs to address these requirements and explain why it is or is not following them."
Risk assessments are important for any practice, regardless of size, says Christopher Burgess, president and CEO of Prevendra Inc. “HIPAA risk assessments exist to give a healthcare organization -- be it large service provider or small-town clinic -- an understanding of the internal risks which an entity may be facing,” he says. They can be a useful and important tool to examine policies and procedures.
There are generally three steps in a HIPAA risk assessment:
Step 1: Review of Current Policies and Procedures Pertaining to Information Security
It’s easy to think of a HIPAA risk assessment as an analysis of policies your practice has for handling PHI. But it’s also an examination of how those policies are being carried out -- and by whom.
“While commonly thought of as a technical evaluation, in reality, such an assessment looks at the people part of the business operation as well,” says Glenn Phillips, a senior consultant at Forte Online.
It’s not just about computers, servers, firewalls, websites, email and data backups, he says. “An assessment will also look at how these systems are used and how the usage is overseen. Commonly this includes review of operations policies and procedures and the checks-and-balances to ensure these policies and procedures are followed.”
Step 2: Inventory of IT Assets
This step examines where your practice's PHI is stored as well as what is protecting and backing it up.
“This involves looking for technical areas in which data can be accessed or manipulated,” says Joe Feyereisen of Reach IPS.
Step 3: Analysis of IT Risk, Security and Privacy Controls
This can range from looking at passwords to examining who has clearance to access certain data. “It also involves the operational and clinical procedures that look at the manual and manual-to-technical policies and mechanisms that generate and share that PHI,” says Feyerisen.
To learn more about HIPAA risk assessment and HIPAA compliance, sign up today for our Nov. 13 webinar "HIPAA Risk Assessment: What You Need to Know."
Logan Solutions uses a combination of clinical practice expertise and technological skill to help physician practices throughout the U.S. implement, customize and improve their EMR and Dragon Medical software systems. Contact us to find out how our clinical-practice expertise can help your practice with its clinical documentation software needs.