Since 2003, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule has required covered entities (medical service providers that transmit information electronically – even billing) to conduct a risk analysis. If your medical group or hospital creates, maintains, receives, or transmits electronic protected health information (e-PHI), a risk analysis is a mandatory step towards HIPAA compliance.
The purpose of a risk analysis is to identify the potential risks and vulnerabilities of maintaining the confidentiality, integrity, and availability of e-PHI held by the medical facility. You can’t take the necessary risk management steps to protect your patients’ e-PHI, if you first don’t identify your weaknesses, threats, and risks. In addition to disclosing the patients’ private information and losing their trust, breaches take up a lot of valuable time, may result in hefty federal fines, decrease patient satisfaction, and damage the medical group’s reputation.
The risk analysis requires a series of administrative, physical, and technical safeguards to assess that e-PHI is being kept confidential. Once potential risks have been identified, a plan of action should be implemented to address the identified risks, with reassessment of the system and office completed on a regular basis. The risk analysis, the identified potential risks, the plan of action, and the reassessment should be carefully documented, which must be kept available in case the office is audited for HIPAA compliance or investigated for an alleged breach of e-PHI.
The risk analysis should be done regularly, whether biannually or annually and, whenever there has been a change that might alter the way the office creates, maintains, receives, or transmits e-PHI.
Your staff is the biggest security threat. According to the Office for Civil Rights (OCR), 95% of security issues are related to human error and 56% of employees do not receive any data security training. Protection of e-PHI must be embedded into the culture of an office or an organization. Only when the staff is properly trained, has management’s support, and there is a culture of compliance, will they become proactive in protecting e-PHI.
The Office for Civil Rights has guidance on risk analysis which is available by clicking the link below. Please protect your patients and your medical group or hospital by taking the necessary steps to keep electronic information as secure as possible.
View the Final Guidance on Risk Analysis.
Author Kimberly Danebrock, RN, JD, is a Senior Risk Management & Patient Safety Specialist at the Cooperative of American Physicians, Inc. (CAP).
If you have questions about this article, please contact us. This information should not be considered legal advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.