With the next round of audits right around the corner, doctors, chiropractors, dentists, and other covered entities should use this time to a conduct a risk assessment. Also known as a risk analysis, it involves measuring a covered entity's risk for having Protected Health Information (PHI) accessed or disclosed by unauthorized individuals. The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to implement measures to secure PHI, and a risk assessment/analysis is intended to measure the effectiveness of such measures.
Components of a Risk Assessment
The Health and Human Services (HHS) Security Standards Guide describes nine mandatory elements covered entities must include in a risk assessment. See below for a list of these elements along with a brief description of each.
- Scope of the Analysis – known or potential vulnerabilities to the privacy and/or security of electronic PHI (ePHI).
- Data Collection – how the covered entity collects, transmits and stores data. If data is stored by a third-party, the entity must create a business associates agreement to ensure it's secure.
- Identify Potential Threats – what types of threats does the covered entity anticipate? Taking a proactive approach towards sizing up threats will eliminate potential problems before they occur.
- Assess Current Security Measures – how does the covered entity currently protect its PHI? This may include encryption, authentication, etc.
- Likelihood of Threat Occurrence – what's the chance of a threat actually occurring?
- Determine Level of Risk – according to the HHS, covered entities should gauge their risk level by averaging #5 and #6 elements cited above.
- Finalize Documentation – the risk assessment should be written (or types) in an organized document.
- Periodic Review and Updates – a risk assessment is an on-going process, and as such should be treated like one.
Security Risk Assessment Tool
Just last month, the HHS launched a new Security Risk Assessment (SRA) tool. As the name suggests, this free-to-use tool is designed to help covered entities conduct a risk assessment.
“The tool is designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule,” wrote the HHS on its website.
Visit http://www.healthit.gov/providers-professionals/security-risk-assessment to use the new SRA tool.