So, you’re required to do this huge assessment every year with not a lot of guidance on HOW to do it. So what’s the best way to do your annual HIPAA Risk Analysis?? Let’s explore.

First things first. What is a HIPAA Security Risk Analysis? Before you can get started on safeguards, you’ll need to know:

• What kind of PHI you can access,
• Where you have gaps and security risks,
• And what can threaten the integrity and security of your PHI.

***Motivation Tip: Even a small breach of PHI due to a missed HIPAA Risk Analysis can quickly become a huge problem, with penalties capped at $1.5 million per calendar year for the duration of the breach.***  

Let’s determine the general scope of a Risk Analysis:

• What kind of security procedures does your business have in place?
• Are your employees aware of and trained in HIPAA Security regulations?
• What kind of encryptions are you using?
• Are systems protected against unauthorized access?
• Are your physical healthcare records locked up?

Not too bad, right? Okay, let’s look at the first 3 things you can do to begin your HIPAA Risk Assessment!

Gathering and Documenting Information

Where is your PHI? Who has access to it? We’re talking physical, digital — the who, what, and where of it all.

Assess whether or not the security measures required are already in place and are configured correctly according to the Security Rule. Document your findings!

Identify threats and vulnerabilities

How’s your server security? Is there possible PHI on a laptop or thumb drive somewhere that isn’t encrypted? Do employees share passwords?

Think about the gaps you may have uncovered in your organization’s safeguards and consider the likelihood of potential threats to PHI that may impact the security and integrity of PHI maintained by your organization.

Technology In Use Documentation

IT security risk has been seen as the responsibility of the IT or network staff in the past, as those individuals have the best understanding of the components of the technical setup. This approach has limitations! As systems have become more complex, integrated, and connected to third parties, the control you have over technology quickly reaches its limitations. Take a look at:

• Hardware specifications,
• Software types, product names, and versions,
• Network setup,
• And security systems – your firewall, malware protection

Whew! Overall, a dental or medical practice must have a solid base for its information security framework. The risks and vulnerabilities of your practice will change over time though. If your practice continues to follow its framework, it will be in a good position to address any new risks and/or vulnerabilities that arise.

A Curated Compliance and Training Program can do wonders for the process and ease of completing your HIPAA Risk Analysis every year. Even a webinar is a great first step. We provide comprehensive compliance programs, offered live or on-demand through a customized training system. Using the most up-to-date federal and state laws for the industry, our courses aim at educating both the doctor and their employees on their roles in mitigating risk around the office.