Maintaining HIPAA compliance requires being proactive rather than reactive. Realizing you’ve been violating HIPAA regulations after the fact is never a good situation for a medical practice to be in. But you can spot potential violations before they happen. Performing a HIPAA risk assessment will help you identify your practice’s weak spots when it comes to HIPAA compliance so that you can find solutions to strengthen them. Follow this HIPAA risk assessment template to help you avoid HIPAA violations and reduce risks within your medical practice:
Step 1: Identify devices and systems to determine PHI flow.
To perform a full risk assessment, you need to list out everywhere your patients’ health information is being stored, as these devices carry sensitive medical information. Examples of such devices include: servers, workstations, networked medical devices, laptops, computers, operating systems, applications, software, mobile phones, EHR/EMR systems, hard drives. The list goes on, and will likely expand as technology is ever changing in the healthcare industry. Be sure to list out as many as you can so your risk assessment is as accurate as possible.
Step 2: Departments to interview to document PHI flow.
If you work in a large practice, you’ll need to document the flow of PHI in order to fully assess your risks and data safeguards. Determining the flow of your patients’ information may require you interviewing members of the various departments within your hospital or practice, whether they be management, operational, or technical. This will allow you to determine how and to whom your patients’ records are being sent to, as well as how the information is being handled.
Step 3: Identify threats and vulnerabilities.
You have to anticipate problems ahead of time to prevent any PHI from getting disclosed or deleted from your records. Threats can include power failures, device malfunctions, computer viruses, chemical leakages, and geological threats. Vulnerabilities can include defects or incorrect setup of information systems or futile policies, procedures, and guidelines.
Some threats/vulnerabilities you should assess:
- Digital — an easily hackable password set on your EHS system; accidental ePHI deletions; website coded incorrectly
- Physical — improperly disposing of physical PHI (not shredding papers, etc)
- Internal — lack of internal security policies; employee checks email and unwittingly downloads malware
- External — natural disasters (ie: hurricanes, floods, fire); power outages
- Negligent — patient information accidently left up on computer for other patients to see
- Willful — employee prying into celebrity, companion, spouse’s life
Step 4: Analyze top HIPAA risks and potential impact.
Once you list all of the possible risks and vulnerabilities, you need to determine which ones have the highest likelihood of occurrence and have the greatest potential impact. This will allow you to grade the level of risk for each from low to high. Those that pose the highest risk should be dealt with first. Lower risk threats and vulnerabilities can be solved for once the higher risk items are handled.
Step 5: Identify top security measures based on top HIPAA risks.
Now it’s time to diminish and alleviate your security problems. Start by working towards fixing the highest risks first and then going from there. Determine the solution for each risk and create a plan for implementing that solution. For instance, if you found that your ePHI was vulnerable to accidental deletion or loss due to employee error or environmental threats, you may want to find a secure cloud backup service to backup all of your digital patient medical files so that if anything is ever deleted, it can be recovered. Likewise, if documents are being improperly disposed of, make sure all departments are educated on which documents to shred and why.
Since technology and your practice operations will likely change frequently, be sure to perform a risk assessment at least once a year. This will keep you aware of any new risks and vulnerabilities your practice may be exposed to, before they strike.
