When was the last time that you conducted a Health Insurance Portability and Accountability Act (HIPAA) risk assessment of your healthcare practice? The Office for Civil Rights (OCR) requires covered entities to conduct their own internal risk assessments on a regular basis to determine whether or nor their patients' data is at risk for unauthorized access and/or use. While many covered entities neglect this step, it's an essential component in maintaining a compliant healthcare practice.
Security Rule Risk Assessment
The Security Management Process standard described in the HIPAA Security Rule requires all covered entities to implement policies and procedures to prevent, contain and correct security violations. Among the four required implementation specifications is a security risk assessment. According to the HHS, a risk assessment involves a thorough assessment of potential risks and vulnerabilities that pertain to the confidentiality, integrity, and availability of Electronic Protected Health Information (EPHI).
In other words, a risk assessment is thorough analysis of potential risks in regards to EPHI. This may include checking to see whether or not messages are being encrypted, if EPHI is being properly disposed, the length for which EPHI is stored, etc. Keep in mind that a security risk assessment is limited to Electronic Protected Health Information and not paper/physical PHI.
HHS Risk Assessment Tool
In addition to conducting your own risk assessment, you may also want to use the tool provided by the Department of Health and Human Services (HHS). Located at https://www.healthit.gov/providers-professionals/security-risk-assessment-tool, this free-to-use tool is designed specifically for assessing the security risk of a healthcare practice. The tool is a collaborative project developed by the OCR and OGC, and is intended to guide covered entities through the process of assessing their risk. It's completely free to use with no strings attached, so be sure to check it out!
Security Risk Assessment Tool Videos
Of course, the aforementioned risk assessment tool will only prove useful if you are familiar with its mechanics. This is why the HHS has published a plethora of training videos on its website, guiding covered entities and their respective workers on how to use the tool. Feel free to watch some of these videos to learn more about the risk assessment tool and how it works.