Physicians: Don't skip your security risk assessment

Until they’ve opened a letter from the Office of Civil Rights (OCR) notifying them that their practice is being audited for HIPAA compliance, many physicians don’t realize the gravity of the situation their practices may be facing.

Until they’ve opened a letter from the Office of Civil Rights (OCR) notifying them that their practice is being audited for HIPAA compliance, many physicians don’t realize the gravity of the situation their practices may be facing. 

In those cases, physicians must confront the possibility that their practice has done  only a bare-bones risk assessment. The electronic protected health information (ePHI) that sits on a practice’s network may be vulnerable to a security breach because the leaks haven’t been plugged. And  a steep OCR fine for noncompliance can be waiting around the corner. 

A thorough risk assessment will help a practice identify the additional security and procedures needed to help reduce the risk of patient data breaches and to satisfy auditors. Here are steps practices can take to protect patient information-and pass an audit.

Don’t put off your internal audit

Inventory where patient information is stored, accessed, or transmitted. 

Most physicians think their EHR is their only repository of patient records but patient information can be in a word document or spreadsheet as a billing report. Patient information could also be in emails or text messages. 

 

Evaluate common threats to patient information

The likelihood of a threat and the impact of the threat if it occurs should also be analyzed. How are practices protecting information in the case of fire or flood, or lost or stolen laptops containing patient information, or sending emails to the wrong patient? 

Again, have a policy in place and make sure patient information is secure and protected if it’s stored on a laptop and the physician takes it home. 

Acquire additional security

A  security risk assessment will identify additional security measures to reduce the likelihood of a threat and its impact. 

Identify access

Track access to ePHI and patient data to detect unauthorized access.

Encrypt your data 

Don’t just protect against attacks but help alleviate any potential penalties as auditors will take into account whether a practice did all it could to protect the data.