• Revenue Cycle Management
  • COVID-19
  • Reimbursement
  • Diabetes Awareness Month
  • Risk Management
  • Patient Retention
  • Staffing
  • Medical Economics® 100th Anniversary
  • Coding and documentation
  • Business of Endocrinology
  • Telehealth
  • Physicians Financial News
  • Cybersecurity
  • Cardiovascular Clinical Consult
  • Locum Tenens, brought to you by LocumLife®
  • Weight Management
  • Business of Women's Health
  • Practice Efficiency
  • Finance and Wealth
  • EHRs
  • Remote Patient Monitoring
  • Sponsored Webinars
  • Medical Technology
  • Billing and collections
  • Acute Pain Management
  • Exclusive Content
  • Value-based Care
  • Business of Pediatrics
  • Concierge Medicine 2.0 by Castle Connolly Private Health Partners
  • Practice Growth
  • Concierge Medicine
  • Business of Cardiology
  • Implementing the Topcon Ocular Telehealth Platform
  • Malpractice
  • Influenza
  • Sexual Health
  • Chronic Conditions
  • Technology
  • Legal and Policy
  • Money
  • Opinion
  • Vaccines
  • Practice Management
  • Patient Relations
  • Careers

Don’t skimp on your HIPAA risk assessment


If you’ve ever been speeding down the highway, passed a police car, then slowed to well below the speed limit, hoping you wouldn’t get pulled over and handed a citation, then you are likely doing the same thing when it comes to your HIPAA compliance.

Until you’ve opened a letter from the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) notifying you that your practice is being audited for Health Insurance Portability and Accountability Act (HIPAA) compliance, you won’t realize the gravity of the situation.  

Take our quiz to test your HIPAA knowledge here

Now you must confront the fact that you’ve done a bare-bones risk assessment as you’ve sped through your practice day. The electronic protected health information (ePHI) that sits on your network is vulnerable to a security breach because you haven’t plugged all the leaks. And the threat of an OCR auditor handing out a steep fine for noncompliance can be waiting around the corner.

Here are the steps your practice should take to protect your patients’ information – and pass an audit:

Inventory patient information

Capture and inventory  where patient information is stored, accessed, or transmitted. Most people think of their electronic health record system as their only source of patient records, but patient information can be in a word processing document or a billing report. Patient information could also be in emails or text messages.

Next: Assess security policy


Assess security policy

How often does the practice perform data backups? Are employees logging into public Wi-Fi networks or sharing information on social media? Is there a termination procedure when employees leave the company? 

Evaluate common threats

The likelihood and impact of a threat should also be analyzed. How is the practice protecting information in the case of a natural disaster, or the loss or theft of a laptop computer containing patient information, or sending an email to the wrong patient?  Again, have a policy in place and make sure patient information is secure and protected if it’s stored on a laptop.

Best EHRs: Physicians reviewed

Perform a security risk assessment

A security risk assessment will identify additional security measures to reduce the likelihood of a threat and its impact.

Next: Audit your systems


A thorough security risk assessment will help a medical practice identify the additional security and procedures needed to lower the risk of patient data breaches and to satisfy OCR auditors.

Audit your systems

Track access to ePHI and patient data to detect unauthorized access.

10 tips for physicians to be better leaders

Encrypt your data

Don’t just protect against attacks but help alleviate any potential penalties as auditors will take into account whether a practice did all it could to protect the data.

Next: Stay vigilant


Stay vigilant

Train employees to recognize “phishing”  and telephone scams. Track the movement of visitors and patients while they are in the organization’s facility. Don’t assume there will be no problems: Have documented disaster recovery procedures in place. 

Related Videos
Jennifer N. Lee, MD, FAAFP
© National Institute for Occupational Safety and Health
© National Institute for Occupational Safety and Health
© National Institute for Occupational Safety and Health
© National Institute for Occupational Safety and Health
© National Institute for Occupational Safety and Health
© National Institute for Occupational Safety and Health