In a previous post I discussed the risk of having patient information on smartphones. I ended the post with stating that a HIPAA Risk Assessment can help reveal where security measures are needed. Let’s look at that a little more in depth.
Many people are confused as to what a HIPAA Risk Assessment is. Here is an oversimplified definition:
A HIPAA Risk Assessment is a process where you identify where patient data is, how you are currently protecting the patient data and what additional steps should you implement to better protect the data.
Yes that is a really oversimplified definition but it allows you to wrap your arms around the purpose and goal of the Risk Assessment. Let’s drill down one level of the definition.
Identify where patient data is
The old saying is that you can’t protect what you don’t know is very true especially with patient data. The first step is to inventory every system that stores, accesses or transmits patient information. The obvious ones are an EMR, Practice Management or billing system. But as you look further you will find that patient data might be stored on your ultrasound, digital x-ray system, in lab results, email, spreadsheets, documents, marketing databases, etc.
How are you protecting patient data?
Answering this question is important. What protections do you have in place already? Is your network protected by a Firewall? Is anti-virus installed on all systems? Do you have an employee termination procedure in place that removes IT access of terminated employees immediately? Are you utilizing encryption? If so where and how? Are disaster recovery procedures in place and have they been tested?
These are only a sample of the questions that must be asked to determine how you are currently protecting patient information. The answers will reveal either how good or how poorly the data is being protected.
What additional steps should you implement to better protect the data?
If you ask the right questions in the second step of how you are currently protecting data, then determining what addition security steps should be very straightforward. For example if you answered that you have never tested your disaster recovery procedure then you know this is a needed process that must be implemented. Furthermore, if you don’t have encryption on laptops that have patient data then implementing encryption should be on the top of your list.
A HIPAA Risk Assessment is confusing to a lot of people but it is a very straightforward process. It is the heart of the HIPAA Security Rule because it makes you evaluate your workflows, where you store data, how you protect data and identifies additional security measures.