No one wants to start the year off with large fines and decreased reimbursement. Those are just two reasons why conducting a risk analysis is imperative to your office.
Since 2003, federal law (the HIPAA Security Rule) has required that covered entities (medical service providers that transmit information electronically - even billing) identify their risks of maintaining the confidentiality of electronic protected health information (e-PHI). Therefore, if your office creates, maintains, receives, or transmits e-PHI, a risk analysis is mandatory for HIPAA compliance. A Risk Analysis is also part of the Meaningful Use requirements.
Information systems are subject to serious threats that can have a negative impact on patients and the practice. In addition to disclosing the patient's private information and losing their trust, breaches take up a lot of your valuable time, may result in hefty federal fines, decrease customer satisfaction, and damage the practice's reputation.
Risk Analysis is a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by the office. The Risk Analysis uses a series of administrative, physical, and technical safeguards to be assessed to assure that e-PHI is being kept confidential.
And the Risk Analysis is only the first step in compliance with the Security Rule. Once potential risks have been identified, you should implement a plan of action to address the identified risks. Further, the process is ongoing, with reassessment of the system and office to be done on a regular basis and with any changes that would potentially alter the risks. The Risk Analysis, any potential risks, and any action should be carefully documented by the office and available if the office is investigated for an alleged HIPAA breach or audited for HIPAA compliance.
The importance of data protection must exist within the entire culture of the office. Physicians and office managers must understand the seriousness of protecting e-PHI and educate office staff accordingly. Only then will the workforce do what is expected, by not just going through the motions, but by being proactive in a culture that protects patients and their data.
The Office for Civil Rights (OCR) has guidance and a sample Risk Analysis available on the links listed below. This information will assist you in identifying and implementing the appropriate safeguards that will best serve your office. Please protect your patients, their information, and yourself by doing your part to keep their electronic information secure as possible.
View the Final Guidance on Risk Analysis.
For a sample HIPAA Risk Assessment General Checklist, visit our website.
Authored by
Kimberly Danebrock, RN, JD
Senior Risk Management & Patient Safety Specialist
If you have questions about this article, please contact us. This information should not be considered legal advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.