HIPAA Risk Assessments

Since it was first passed in 1996 HIPAA (Health Insurance Portability and Accountability Act) has been in effect to help protect patient records from being released either on purpose or accidentally. The regulations are loosely worded and offer a lot of wiggle room for different sized operations. What works for a large medical office of 50 employees may not be ideal for a smaller office with only 3 employees. Updates to the HIPAA act have been released several times throughout the years since its creation, and a follow up HITECH Act and an Omnibus were developed to keep up with the changing way data is stored and used. Let’s look at the HIPAA risk assessment and what all that can entail.  

The first thing to look at is where the data is stored and how it is stored. Keeping any identifiable data protected and secure is important for all patient health records today. Is the data stored electronically and if so, is there a backup for that data in the event of power failure or natural disaster? Patient data must be available to medical personnel when it is needed to ensure proper patient care and availability to a patient who request their records. Data can be stored in servers on site, or even in a cloud server offsite. It must be accessible to the people or persons who need it when they need it.  

The next step is to look at the likelihood or possibility of the data being hacked, corrupted, or accidentally released. Risk assessment will give values on the likelihood of each type of event happening. For example, data that is stored on hard copies only is not going to be at risk for electronic release but may be more accessible to human error or carelessness. However, if that same hard copy data is also stored on an electronic server it is going to have a much higher risks level of being hacked or infiltrated. All PHI storage must be evaluated and assessed for breeches and ways that they can be infiltrated.  

The risk assessment will also include a walk thru to observe the HIPAA practices in action. An evaluator is going to look for passwords left in open view or computers left unattended and logged in. Any print outs of protected health information must be kept securely away from prying eyes. The many ways data can be breeched include by employees, customers, or even strangers in some cases. If a person can accidentally walk by and have an unobstructed view of PHI (Protected Health Information) then that is a direct violation of the HIPAA Act and must be addressed.  

After the data is evaluated for how and where it is stored and the risks of a data breech is determined, then the business and/or the risk assessor must develop a plan of action to address the problem areas. This can include minor adjustments such as regular password changes or even more serious options such as reevaluating the way data is physically stored. A written record of the risk assessment and the recommended changes must be created and kept recording that the assessment and changes have been evaluated and completed.  

 Training and risk assessments must be refreshed on a regular basis to ensure all employees are keeping up to date on the HIPAA/HITECH/Omnibus guidelines and how best to continue keeping data safe. Most businesses will keep their assessments up to date by having a yearly assessment and continuous monitoring. If new policies or procedures are implemented, then new training must take place. Larger operations may have monthly meetings to ensure all personnel are kept up to date. Because the HIPAA Act is so vaguely worded it allows a lot of room for companies to customize their needs to that of the requirements.  

Finally determine the costs of implementing the new plan and keeping data securely protected. Since its inception is 1996, the HIPAA act has been modified to include not only the business dealing with the PHI but also busines associates and any others who may also have limited access to the PHI, such as IT companies. These business associates must also undergo HIPAA training and risk assessment at regular intervals to ensure compliance. The fines that can be assessed on a business that does not follow these regulations to protect data can be extremely high, with one fine going as high as $5.5 million for a preventable data breech.  

HIPAA risk assessments are a valuable tool in keeping protected data safe and following the rules and guidelines laid out. In the HIPAA and subsequent additions to it are all the guidelines and rules that can be used as needed to protect the identifiable health information of patients and give them a sense of security that their information will not end up for sale on the internet or worse.

I know we have all had those doctors’ visits and had to fill out what seems like one HIPAA form after another for every office we visit. Understanding what those forms are helping to protect might make it seem like not such a tedious task. If your business is one the falls under HIPAA or you are a business associate of one of them, then you too need an assessment for risk and a plan to prevent breeches from happening. Contact us today at Davis Advanced Technologies and schedule your risk assessment today.  

Posted in

Davis Advanced Technologies