Doctors, chiropractors, dentists and other covered entities are required by law to conduct regular risk analyses. As per the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, a risk analysis is intended to asses potential risks and vulnerabilities to the confidentiality, privacy and integrity of Electronic Protected Health Information (ePHI). When conducting a risk analysis, though, you should ask, and answer, the following questions.
What Type of ePHI do You Have?
You can't expect to protect ePHI from unauthorized use and/or access unless you know where it's located. So when conducting a risk analysis, identify the type and location of ePHI that your practice creates, receives, transmits or maintains. Only then can you take the necessary measured to protect ePHI from unauthorized use.
Do You Have External Sources of ePHI?
This is another question you should ask when conducting a HIPAA risk analysis. Not all ePHI is stored locally; some is stored by a third party organization, such as cloud-computing service provider. If you transmit ePHI to a third party, you must have the appropriate Business Associates Agreements (BAAs) in place; otherwise, it could result in a violation if your practice is audited by the Office for Civil Rights (OCR).
What Threats Does Your ePHI Face?
The Department of Health and Human Services (HHS) says that covered entities should ask themselves what threats their ePHI faces? These threats may consist of human, natural and environmental factors. A human threat, for instance, could be a nefarious individual attempting to hack your system, while a natural threat could be a recently flooded office floor.
Do I Have a Security and Privacy Officer?
HIPAA further requires all covered entities to have both a security officer and a privacy officer. The security officer is responsible for ensuring compliance with the HIPAA Security Rule, while the privacy officer is responsible for ensuring compliance with the Privacy Rule. They should also train other workforce members on the nuances of these HIPAA Rules.
Is Your ePHI Encrypted?
The HIPAA Security Rule lists encryption as an addressable specification, meaning it's only required when deemed useful for reducing the risk of unauthorized use. Here's the thing, though: encryption almost always reduces the risk of unauthorized use, simply because it requires a encryption key to read. For this reason, it's recommended that you encrypt your ePHI.