	Until they’ve opened a letter from the Office of Civil Rights (OCR) notifying them that their practice is being audited for HIPAA compliance, many physicians don’t realize the gravity of the situation their practices may be facing. 

 physicians must confront the possibility that their practice has done  only a bare-bones risk assessment. The electronic protected health information (ePHI) that sits on a practice’s network may be vulnerable to a security breach because the leaks haven’t been plugged. And  a steep OCR fine for noncompliance can be waiting around the corner. 

	A thorough risk assessment will help a practice identify the additional security and procedures needed to help reduce the risk of patient data breaches and to satisfy auditors. Here are steps practices can take to protect patient information-and pass an audit.

	Inventory where patient information is stored, accessed, or transmitted. 

	Most physicians think their EHR is their only repository of patient records but patient information can be in a word document or spreadsheet as a billing report. Patient information could also be in emails or text messages. 

Evaluate common threats to patient information

	The likelihood of a threat and the impact of the threat if it occurs should also be analyzed. How are practices protecting information in the case of fire or flood, or lost or stolen laptops containing patient information, or sending emails to the wrong patient? 

	Again, have a policy in place and make sure patient information is secure and protected if it’s stored on a laptop and the physician takes it home. 

	A  security risk assessment will identify additional security measures to reduce the likelihood of a threat and its impact. 

	Track access to ePHI and patient data to detect unauthorized access.

	Don’t just protect against attacks but help alleviate any potential penalties as auditors will take into account whether a practice did all it could to protect the data. 

Opinion

News

Legal

Until they’ve opened a letter from the Office of Civil Rights (OCR) notifying them that their practice is being audited for HIPAA compliance, many physicians don’t realize the gravity of the situation their practices may be facing.