My brother-in-law retired a few years ago after more than three decades in private practice. He ran his busy office the old fashioned way — without computers. His patients’ records were kept in manila folders filed in a wall of shelves. In longhand, his office manager recorded appointments in a big black book and kept track of accounts in a ledger tucked into a backroom drawer.
Today when I sat down to blog here about how to prepare for a risk analysis/risk assessment (the terms are interchangeable), I couldn’t help but think about my brother-in-law’s healthcare office and how its methods of dealing with patient information differed from most modern practices. I bring this up only to bring home an important point to keep in mind when setting out to do a risk assessment: Namely, no two healthcare practices have exactly the same information-system components, nor do they manage the flow of information in exactly the same way.
Performing a risk assessment regularly is a required component for HIPAA compliance — a do-it-yourself method of understanding where your healthcare practice might be vulnerable when it comes to keeping Protected Health Information (PHI and ePHI) safe. An intended by-product of a risk assessment is the development of plans and strategies within your office to prioritize and address those vulnerabilities.
It’s probably safe to say that, unlike my brother-in-law, you run an office that relies on information technology in a variety of ways. To prepare for a risk assessment, here’s what I suggest for you or whoever serves as the Security Officer in your practice: Catalogue the information-system components in the office that come in contact with PHI and ePHI and that play a role in either storing patient health information or transmitting it. Begin by listing:
Hardware — Computers at the front desk, tablets in clinical areas, printers, servers, scanners, modems, PDAs, and smartphones
Software — Operating systems; browsers; software for practice management, billing, EHR, email, and database and office productivity
Network components — Dedicated phone or cable lines, routers and hubs, firewall software and firewall hardware, wireless systems
Charting a course to HIPAA compliance
The next step is to create a simple chart to diagram and better understand how all that stuff works together in collecting, storing, and transmitting patient information. An at-a-glance depiction of the flow of information at your office.
This step is important because HIPAA requires that your assessment of risk be specific to your practice. A chart like this communicates, “This is how we do things here.” It’s also an effective way to get a handle on what needs to be updated and the places and intersections where breaches could occur.
Ready? Set? Assess!
With that flow chart in hand, you’ll have a head start on a thorough risk assessment. And here’s why that’s a good thing. In an online conversation at heathcarefosecurity.com, Verne Rinker, health information privacy specialist at the Office of Civil Rights (OCR), said this about the importance of risk assessment in healthcare practices:
“The number-one suggestion is risk analysis, and risk analysis needs to be comprehensive. It needs to look at all the systems because these are constantly changing as organizations change their IT infrastructure. It needs to be ongoing, which also catches not only the new systems that are coming online, but also catches changes in the existing systems and the existing business lines of entities. And it needs to be a regular part of their business. It needs to be on their corporate radar and in their culture of compliance.”
The topic of risk analysis/risk assessment is so important to HIPAA compliance, it deserves more than one blog. Stay tuned!