A checklist of security features is helpful in preparing for a HIPAA risk assessment.
Courtesy of Thinkstock


Published 3/1/2014
Dave Kunz

25 Tips for Passing a HIPAA Risk Assessment

Title II of the Health Insurance Portability and Affordability Act (HIPAA), known as the “Administrative Simplification Provisions,” requires medical practices to follow a set of national standards for electronic healthcare transactions and assigns national identifiers for providers, health insurance plans, and employers.

In addition, the requirements for meaningful use state that a practice must “conduct or review a security risk analysis and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” Thus, to meet the Meaningful Use requirements, practices must conduct periodic risk assessments to prove that they are HIPAA-compliant.

What is a HIPAA risk assessment?
A HIPAA risk analysis is a process that helps ensure that the practice is following these national standards. It involves a thorough look at the practice, in particular the information technology standards. As part of the assessment, someone in the office, typically a physician or the practice manager, should be designated as the HIPAA security officer.

But what does a risk analysis entail, and what must be included in the report? According to the Department of Health and Human Services (HHS) Security Standards Guide, a risk analysis has nine mandatory components. Any healthcare or healthcare-related organization that stores or transmits electronic protected health information (ePHI) must include the following components in their risk analysis document:

  • Scope of the analysis—any potential risks and vulnerabilities to the privacy, availability, and integrity of ePHI
  • Data collection—where data is being stored, received, maintained, or transmitted
  • Potential threats and vulnerabilities—identifies and documents any anticipated threats and vulnerabilities that may lead to an ePHI breach
  • Current security measures—steps being taken to protect data, such as encryption
  • Likelihood of threat occurrence—the probability of potential risks to ePHI
  • Potential impact of threat occurrence—the impact of a data threat, as determined by using either qualitative or quantitative measures
  • Determination of level of risk—the average of the assigned likelihood of occurrence and the potential impact, plus a list of corrective actions that would be performed to mitigate risk
  • Documentation—the written analysis required by HHS
  • Reviews and updates—subsequent risk analyses whenever new technology or changes to business operations are planned or implemented

Although many practices may be able to conduct a risk assessment without using an outside vendor, others may decide that an outside vendor can be more objective and efficient. Asking other practices how they approached the project, searching the Internet, and checking with the practice’s current IT vendor are ways a practice can find companies that specialize in conducting risk assessments.

Any vendor selected should provide a certificate that states the practice has had a HIPAA risk assessment. If the assessment is completed by practice physicians and staff, it is important to document each activity in the process.

25 tips
The following list will help you prepare for a risk assessment (and are also good habits to form):

  1. Always follow HIPAA guidelines and rules.
  2. Keep all paper medical records under lock and key and make sure only authorized personnel have access to them.
  3. Ensure that any paper records that are past their required storage date or have been digitized and are no longer needed are properly destroyed.
  4. Install antivirus and firewall software on all personal computers, laptops, tablets, and the practice’s internal network. If possible, the internal network should have only limited Internet access.
  5. Make sure that computer screens do not face the reception room or any direction within view of unauthorized personnel. In addition, be sure that password locks are used when staff step away from their computers.
  6. Train staff to always log out of the electronic health record system when they leave the computer.
  7. Do not use social security numbers as unique patient identifiers.
  8. Because patients have the right to revoke access to any health information network the practice is part of, be sure that proper written consent is obtained before any information is shared.
  9. Require that passwords be changed on a regular basis. Ensure that passwords are not exchanged, written down, or posted in places where others can see them.
  10. Keep portable hardware containing data secure and locked away when not in use.
  11. Keep all hardware—including servers—in a clean environment, with minimal or no access by unauthorized personnel.
  12. Train all staff members on data security policies and procedures. Make sure everyone in the practice understands and observes the policies and procedures for protecting patient health information.
  13. Ensure that staffing policies and procedures are up to date. If an employee leaves the practice, change his or her user status to inactive on the last day of employment.
  14. Review audit trails on a regular and periodic basis to identify potential system abuse or misuse.
  15. Have a disaster recovery procedure.
  16. Make sure data are backed up every day.
  17. Ensure that the computer(s) that stores the patient data is encrypted.
  18. Keep a list of the practice’s third-party vendors and ensure that they all sign a Business Associates Agreement stating that they won’t disclose any practice information.
  19. Designate a staff member to be a “security officer,” who is in charge of making sure the practice is HIPAA-compliant.
  20. Provide all employees with badges or other form of identification that proves they work for the practice.
  21. Train the staff on proper Internet use, including avoiding the use of the practice’s computers for personal business.
  22. Do not include any information that can identify a person as a patient in records that are not part of the EHR system.
  23. Do not allow flash drives or any external data device used in the practice to be removed from the practice or used on computers that are not owned by the practice.
  24. Notify the security officer immediately if a computer shows signs of being infected.
  25. Never put flash drives or external media found on the ground into a practice’s computer.

Dave Kunz is vice president, sales, for Technical Doctor, Inc., Arlington Heights, Ill., a healthcare IT company that specializes in HIPAA-compliant solutions. For more information, visit www.technicaldr.com