Data Breaches? This probably isn’t your first rodeo. If anything, with the crazy increase of electronic records within the last 20 years, they have become much more common.
A security assessment is literally a must-do to determine threats and weak points to Protected Healthcare Information (PHI). Not only is it important to find these threats, but a risk analysis is also mandatory. The HIPAA Security Rule requires Covered Entities and their Business Associates to conduct an annual HIPAA risk assessment and use security measures in order to help keep PHI safe.
Although regulations do not instruct organizations on how to control or secure their systems, they do require that those systems be secure in some way and that the organization proves to independent auditors that their security and control infrastructure is in place and effective.
First things first. What is a HIPAA Security Risk Analysis? Before you can get started on safeguards, you’ll need to know:
Let’s determine the general scope of a Risk Analysis:
Not too bad, right? Okay, let’s look at the first 3 things you can do to begin your HIPAA Risk Assessment!
Gathering and Documenting Information
Where is your PHI? Who has access to it? We’re talking physical, digital — the who, what, and where of it all.
Assess whether or not the security measures required are already in place and are configured correctly according to the Security Rule. Document your findings!
Identify threats and vulnerabilities
How’s your server security? Is there possible PHI on a laptop or thumb drive somewhere that isn’t encrypted? Do employees share passwords?
Think about the gaps you may have uncovered in your organization’s safeguards and consider the likelihood of potential threats to PHI that may impact the security and integrity of PHI maintained by your organization.
Technology In Use Documentation
IT security risk has been seen as the responsibility of the IT or network staff in the past, as those individuals have the best understanding of the components of the technical setup. This approach has limitations! As systems have become more complex, integrated, and connected to third parties, the control you have over technology quickly reaches its limitations. Take a look at:
Whew! Overall, a dental or medical practice must have a solid base for its information security framework. The risks and vulnerabilities of your practice will change over time though. If your practice continues to follow its framework, it will be in a good position to address any new risks and/or vulnerabilities that arise.
A Curated Compliance and Training Program can do wonders for the process and ease of completing your HIPAA Risk Analysis every year. Even a webinar is a great first step. We provide comprehensive compliance programs, offered live or on-demand through a customized training system. Using the most up-to-date federal and state laws for the industry, our courses aim at educating both the doctor and their employees on their roles in mitigating risk around the office.
Interested in HR & Coaching but want to learn more?
Check Out Some Blogs!
Hi! Want to keep up with Done Desk? We’ll make sure to only send interesting info, no crappy content or fluff. Just the good stuff — promise!
Get In Touch:
Handmade in the USA. Headquartered in San Antonio, Texas.
Done Desk™ is part of the innovative suite of services offered within the Practice Secure™ practice advisory platform.
Copyright Done Desk™ 2022