Revenue Cycle Management
COVID-19
Reimbursement
Diabetes Awareness Month
Risk Management
Patient Retention
Staffing
Medical Economics® 100th Anniversary
Coding and documentation
Business of Endocrinology
Telehealth
Physicians Financial News
Cybersecurity
Cardiovascular Clinical Consult
Locum Tenens, brought to you by LocumLife®
Weight Management
Business of Women's Health
Practice Efficiency
Finance and Wealth
EHRs
Remote Patient Monitoring
Sponsored Webinars
Medical Technology
Billing and collections
Acute Pain Management
Exclusive Content
Value-based Care
Business of Pediatrics
Concierge Medicine 2.0 by Castle Connolly Private Health Partners
Practice Growth
Concierge Medicine
Business of Cardiology
Implementing the Topcon Ocular Telehealth Platform
Malpractice
Influenza
Sexual Health
Chronic Conditions
Technology
Legal and Policy
Money
Opinion
Vaccines
Practice Management
Patient Relations
Careers

Don’t skimp on your HIPAA risk assessment

November 25, 2015

Article

If you’ve ever been speeding down the highway, passed a police car, then slowed to well below the speed limit, hoping you wouldn’t get pulled over and handed a citation, then you are likely doing the same thing when it comes to your HIPAA compliance.

Until you’ve opened a letter from the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) notifying you that your practice is being audited for Health Insurance Portability and Accountability Act (HIPAA) compliance, you won’t realize the gravity of the situation.

Take our quiz to test your HIPAA knowledge here

Now you must confront the fact that you’ve done a bare-bones risk assessment as you’ve sped through your practice day. The electronic protected health information (ePHI) that sits on your network is vulnerable to a security breach because you haven’t plugged all the leaks. And the threat of an OCR auditor handing out a steep fine for noncompliance can be waiting around the corner.

Here are the steps your practice should take to protect your patients’ information – and pass an audit:

Inventory patient information

Capture and inventory where patient information is stored, accessed, or transmitted. Most people think of their electronic health record system as their only source of patient records, but patient information can be in a word processing document or a billing report. Patient information could also be in emails or text messages.

Next: Assess security policy

Assess security policy

How often does the practice perform data backups? Are employees logging into public Wi-Fi networks or sharing information on social media? Is there a termination procedure when employees leave the company?

Evaluate common threats

The likelihood and impact of a threat should also be analyzed. How is the practice protecting information in the case of a natural disaster, or the loss or theft of a laptop computer containing patient information, or sending an email to the wrong patient? Again, have a policy in place and make sure patient information is secure and protected if it’s stored on a laptop.

Best EHRs: Physicians reviewed

Perform a security risk assessment

A security risk assessment will identify additional security measures to reduce the likelihood of a threat and its impact.

Next: Audit your systems

A thorough security risk assessment will help a medical practice identify the additional security and procedures needed to lower the risk of patient data breaches and to satisfy OCR auditors.

Audit your systems

Track access to ePHI and patient data to detect unauthorized access.

10 tips for physicians to be better leaders

Encrypt your data

Don’t just protect against attacks but help alleviate any potential penalties as auditors will take into account whether a practice did all it could to protect the data.

Next: Stay vigilant

Stay vigilant

Train employees to recognize “phishing” and telephone scams. Track the movement of visitors and patients while they are in the organization’s facility. Don’t assume there will be no problems: Have documented disaster recovery procedures in place.