Security Risk Assessments (SRA)…for some, those three words strike fear in the heart of a grown adults. But it doesn’t have to be that way. Perhaps you’ve heard the myth. The one about smaller practices that only take cash, don’t need to follow HIPAA and don’t need to do the security risk assessment? It’s a trap that is potentially very costly and completely unavoidable.
All practices create a medical record when a patient is first seen by that practice. And all medical records are protected by the HIPAA. This means that all of us, as healthcare providers, are bound by these rules and regulations.
HIPAA has two fundamental rules: privacy and security. This affects everything we do in our practices and needs to be understood by all practice owners and staff.
The HIPAA privacy rule and the security rule both require that practices identify possible threats; assess specific vulnerabilities; determine appropriate and reasonable safeguards and implement the necessary defense mechanisms and policies.
Security Risk Assessment:
Health and Human Services, The Office of Civil Rights and HealthIT.gov have provided us with a tool we can use that walks us through how to do an SRA. This video will give you an overview of how to use the tool for your practice. Below will talk more about some of the areas you’ll want to look at.
Keep in mind, there are paper versions of this tool available as well. The tool, in it’s current form (at the time of this post), is available as a Windows exe file and an iOS app for the iPad. There does not appear to be a Mac version available, though at least once resource has an excel file you can use (see resources at the end of the article).
What are some of the areas you need to look at?
- Where are you accessing patient data?
- Are offices locked?
- Is there verbal spillover?
- Are you using screens protectors to shield from secondary viewing?
- How secure is the building? Are there alarms?
- What is your equipment like?
- Can computers holding patient data be stolen? What about your portable devices?
- You need a security officer, have you named one? And yes, it could be yourself.
- Has everyone been trained appropriately?
- What are the controls for information access?
- Are you doing reassessments? How often?
- Got policies?
- Who has access to records?
- What happens if there is a hard drive crash?
- Are you using audit logs to monitor activity? (This is almost always built into your EHR).
- Does the EHR and other software provide for secure, authorized electronic exchanges of information?
- How secure is your network? Who has access from outside your facility, or even in your waiting room?
- Think: password managers, backups, encryption, virus/malware protection
Policies and Procedures
- HIPAA P&P to ensure proper compliance
- Documentation and retention of records
- Who are your authorized users and is it documented?
- What happens when someone leaves your practice?
- Business Associate Agreements
- Appropriate vendors
- Review and update agreements
Doesn’t the EHR take care of all of this?
No. EHRs, for the most part have done a very good job in taking care of their side of the security question, but we have to do ours as well. Even the most advanced EHR is unable to overcome an attempted breach if practices do things such as keeping the password set to “password”.
Practices must extend the security to our facilities, people and procedures.
Once the SRA has been completed, the next required step is to create a plan to make sure your practice is in compliance and stays that way. And of course, this will help protect your practice and the information you are protecting.
I’ve listed some resources below for further information. Of course, there are resources out there that will do this for you, however, consider at least getting started so you know exactly where you stand.
HHS Security rule https://www.hhs.gov/hipaa/for-professionals/security/index.html
National Institute of Standards and Technology (NIST)
Policies and Procedures for a Successful Medical Practice – this is a great resource for writing policies and procedures. Comes with templates that you can easily tweak – including for this topic! On Amazon.
How did you do on your assessment? Did you learn anything?