Revenue Cycle Management
COVID-19
Reimbursement
Diabetes Awareness Month
Risk Management
Patient Retention
Staffing
Medical Economics® 100th Anniversary
Coding and documentation
Business of Endocrinology
Telehealth
Physicians Financial News
Cybersecurity
Cardiovascular Clinical Consult
Locum Tenens, brought to you by LocumLife®
Weight Management
Business of Women's Health
Practice Efficiency
Finance and Wealth
EHRs
Remote Patient Monitoring
Sponsored Webinars
Medical Technology
Billing and collections
Acute Pain Management
Exclusive Content
Value-based Care
Business of Pediatrics
Concierge Medicine 2.0 by Castle Connolly Private Health Partners
Practice Growth
Concierge Medicine
Business of Cardiology
Implementing the Topcon Ocular Telehealth Platform
Malpractice
Influenza
Sexual Health
Chronic Conditions
Technology
Legal and Policy
Money
Opinion
Vaccines
Practice Management
Patient Relations
Careers

Physicians: Don't skip your security risk assessment

May 25, 2016

Article

Until they’ve opened a letter from the Office of Civil Rights (OCR) notifying them that their practice is being audited for HIPAA compliance, many physicians don’t realize the gravity of the situation their practices may be facing.

In those cases, physicians must confront the possibility that their practice has done only a bare-bones risk assessment. The electronic protected health information (ePHI) that sits on a practice’s network may be vulnerable to a security breach because the leaks haven’t been plugged. And a steep OCR fine for noncompliance can be waiting around the corner.

A thorough risk assessment will help a practice identify the additional security and procedures needed to help reduce the risk of patient data breaches and to satisfy auditors. Here are steps practices can take to protect patient information-and pass an audit.

Don’t put off your internal audit

Inventory where patient information is stored, accessed, or transmitted.

Most physicians think their EHR is their only repository of patient records but patient information can be in a word document or spreadsheet as a billing report. Patient information could also be in emails or text messages.

Evaluate common threats to patient information

The likelihood of a threat and the impact of the threat if it occurs should also be analyzed. How are practices protecting information in the case of fire or flood, or lost or stolen laptops containing patient information, or sending emails to the wrong patient?

Again, have a policy in place and make sure patient information is secure and protected if it’s stored on a laptop and the physician takes it home.

Acquire additional security

A security risk assessment will identify additional security measures to reduce the likelihood of a threat and its impact.

Identify access

Track access to ePHI and patient data to detect unauthorized access.

Encrypt your data

Don’t just protect against attacks but help alleviate any potential penalties as auditors will take into account whether a practice did all it could to protect the data.