Safety first: How to perform a security risk assessment

Conducting ongoing security risk assessments in your practice is a critical component of complying with the Health Insurance Portability and Accountability Act. And practices seeking to earn the meaningful use incentive must attest that they’ve completed a risk assessment and are fixing any security deficiencies.

Security risk assessments are also a good business move, since the patient information in your practice is one of your most valuable assets, says David Holtzman, JD, a vice president at data security firm CynergisTek.

Practices should conduct HIPAA security risk assessments annually, although HIPAA doesn’t mandate the exact timeframe, says Art Gross, CEO of health care IT firm HIPAA Secure Now! For small and medium-size practices, Gross estimates the process could take 13 to 15 hours if the practice uses a free checklist and documentation tool from the U.S. Department of Health and Human Services (HHS). It’s possible to do a risk assessment without outside help, but HHS recommends consulting with a security expert to be sure your assessment would hold up in a compliance review. Here’s a look at how to get started.

[story-sidebar id=”182951″]

1. Collect data. Track down all the health information your practice sends, receives and stores—not only medical records, but also billing information, insurance claims and quality assessment data.

2. Find threats and vulnerabilities. Is your backup data stored in a basement that’s prone to flooding? Could hackers or disgruntled former staffers access your electronic medical record system? Is health information stored on devices that aren’t encrypted? Do you have clear, well-enforced policies on who can access patient data?

3. Analyze your findings. For each weak spot you’ve identified, decide how likely it is to cause problems and how those problems would impact your practice. HIPAA requires you to protect against scenarios that could be reasonably anticipated to occur, so this will help you prioritize the areas where you need to add more safeguards.

4. Fix security deficiencies. Implement and document your plan for shoring up the weak spots you found in step three, whether that means adding locks to doors, tweaking office procedures or backing up data in an offsite location.

Finally, keep tabs on vendors who work with your practice’s health information. “If they lose all the data that’s stored in their servers, how will they restore it?” says Holtzman. “How will they guarantee the information they’re bringing back to you is the same information you loaded into their system?” You should also be sure your vendors are doing their own security risk assessments and have signed a HIPAA business associate agreement stating they’re protecting your practice’s health data.