Don’t skimp on your HIPAA risk assessment

Published on: 

If you’ve ever been speeding down the highway, passed a police car, then slowed to well below the speed limit, hoping you wouldn’t get pulled over and handed a citation, then you are likely doing the same thing when it comes to your HIPAA compliance.

Until you’ve opened a letter from the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) notifying you that your practice is being audited for Health Insurance Portability and Accountability Act (HIPAA) compliance, you won’t realize the gravity of the situation.  

Take our quiz to test your HIPAA knowledge here

Now you must confront the fact that you’ve done a bare-bones risk assessment as you’ve sped through your practice day. The electronic protected health information (ePHI) that sits on your network is vulnerable to a security breach because you haven’t plugged all the leaks. And the threat of an OCR auditor handing out a steep fine for noncompliance can be waiting around the corner.

Here are the steps your practice should take to protect your patients’ information – and pass an audit:

Inventory patient information

Capture and inventory  where patient information is stored, accessed, or transmitted. Most people think of their electronic health record system as their only source of patient records, but patient information can be in a word processing document or a billing report. Patient information could also be in emails or text messages.

Next: Assess security policy


Assess security policy


How often does the practice perform data backups? Are employees logging into public Wi-Fi networks or sharing information on social media? Is there a termination procedure when employees leave the company? 

Evaluate common threats

The likelihood and impact of a threat should also be analyzed. How is the practice protecting information in the case of a natural disaster, or the loss or theft of a laptop computer containing patient information, or sending an email to the wrong patient?  Again, have a policy in place and make sure patient information is secure and protected if it’s stored on a laptop.

Best EHRs: Physicians reviewed

Perform a security risk assessment

A security risk assessment will identify additional security measures to reduce the likelihood of a threat and its impact.

Next: Audit your systems


A thorough security risk assessment will help a medical practice identify the additional security and procedures needed to lower the risk of patient data breaches and to satisfy OCR auditors.

Audit your systems

Track access to ePHI and patient data to detect unauthorized access.

10 tips for physicians to be better leaders

Encrypt your data

Don’t just protect against attacks but help alleviate any potential penalties as auditors will take into account whether a practice did all it could to protect the data.

Next: Stay vigilant


Stay vigilant

Train employees to recognize “phishing”  and telephone scams. Track the movement of visitors and patients while they are in the organization’s facility. Don’t assume there will be no problems: Have documented disaster recovery procedures in place.