Is it time for your Annual HIPAA Risk Assessment?
Recently, we received a question from a physician's office - "I already had a consultant come in last year and do a HIPAA risk assessment. I am now compliant. Why do I need to schedule another HIPAA risk assessment this year?" A HIPAA Risk Assessment is not just a mandatory compliance requirement, it is something that is needed to be done to keep your patient data safe and secure on an ongoing basis, and to identify potential issues. Things change, things happen, and you need to monitor your security on an ongoing basis. If you suffer a breach, then the agency that might conduct an audit is likely to ask for your most recent HIPAA Risk Analysis or Risk Assessment. If it is too far in the past, then you might be considered negligent. If you participate in the MACRA/MIPS incentive program, then you need to attest annually with the Center of Medicaid and Medicare Services (CMS) that you have conducted the annual HIPAA Security Risk Analysis. These are some reasons why a HIPAA Risk Assessment is not a one-time practice. Risk Assessments should be reviewed annually at a minimum and as new work methods are executed or updated technology is introduced.
- Identify where all your Patient Health Information (PHI) is stored, received, maintained or transmitted.
- Assess current security measures used to safeguard PHI.
- Make a list of all vendors that may have access to your PHI.
- Have all your written HIPAA Policies and Procedures in place.
- Be ready to document the assessment and take action where necessary.
On your Computer?
- Electronic Health Records (EHR)
- Shared network drives
- Word documents
- Recycle bin
In your office?
- Paper Charts or files
- File rooms and closets
- CDs and USB drives
- Old computers/servers that are no longer in use
- Shredders or shred bins
- Tablets and other mobile devices
- Diagnostic equipment such as ultrasound machines and scanners.
Within your network storage?
- A database
- Other folders on the hard drive
- Unencrypted images on other folders
- Remote servers
- Documents on network shares
On the cloud?
- Electronic Health Record systems
- Online cloud backup service
- e-Fax services
- Online file storage and transmission services such as Box, Dropbox, Google Drive.
- Email services
- Administrative Safeguards are used to develop a formal security management process including having written HIPAA Policies and Procedures readily available for medical office staff. Require that all staff, including physicians undergo security training to stay current on the laws and guidelines. Develop policies and procedures for the transfer, removal and reuse of PHI.
- Physical Safeguards are used to secure location and workspaces for staff members limiting access to unauthorized people and potential intruders. Provide Physical Cameras and Alarm systems as needed. Lock all IT equipment and limit access to authorized personnel only.
- Technical Safeguards are used to secure and control access to ePHI. This is done in many ways such as establishing passwords, PIN numbers, implementing automatic logoff control. Ensure that antivirus is updated on all PCs. The PCs/Laptops on which PHI data and Images are stored should be fully encrypted. Do not share passwords.
Compensating controls or alternative controls are put in place to satisfy the requirement for a security measure that is impractical to implement at the present time.
Examples of compensating controls:
When a medical office has paper charts that are filed on open shelves in a storage room or behind the reception desk, it is recommended to lock the charts at the end of the day. Many times it is not practical to put locks on all open shelves that are used to file charts. A compensating security measure can be used to install cameras surrounding the premises to monitor and record all activities. It is important that you also have a process in place to monitor the video recordings periodically.
If an Ultrasound Technician uses CDs, Tapes and Disks to store images or uses a USB hard drive to transfer the images to PCs and the EHR, then these devices have to be encrypted. Many times, the Technician is not sure if the Thumb drives are encrypted. A compensating control here would be to lock the CDs and flash drives in a cabinet when not in use.
The Health Insurance Portability and Accountability Act (HIPAA) is primarily concerned with the Privacy and Security of Patients' Protected Health Information. All entities that come into contact with Protected Health Information on a regular basis are covered under the Act. Has it been more than one year since your last HIPAA Risk Assessment? Or have you never had a HIPAA Risk Assessment done before? Either way, be sure to schedule your 2018 HIPAA Risk Assessment and 2018 HIPAA Training right away - don't wait until its too late.
Resources on HIPAA compliance:
- Using the NIST CyberSecurity Framework
- CMS paper on MIPS
- A practical guide to HIPAA Compliance for a compliance or privacy officer of a small or medium sized healthcare organization
- They all ask for a risk assessment: have you completed yours this year?
- Video: Five steps to HIPAA compliance
- 10 steps to help prevent breaches of PHI