Banner

Article

Physicians: Don't skip your security risk assessment

Until they’ve opened a letter from the Office of Civil Rights (OCR) notifying them that their practice is being audited for HIPAA compliance, many physicians don’t realize the gravity of the situation their practices may be facing.

Until they’ve opened a letter from the Office of Civil Rights (OCR) notifying them that their practice is being audited for HIPAA compliance, many physicians don’t realize the gravity of the situation their practices may be facing. 

In those cases, physicians must confront the possibility that their practice has done  only a bare-bones risk assessment. The electronic protected health information (ePHI) that sits on a practice’s network may be vulnerable to a security breach because the leaks haven’t been plugged. And  a steep OCR fine for noncompliance can be waiting around the corner. 

A thorough risk assessment will help a practice identify the additional security and procedures needed to help reduce the risk of patient data breaches and to satisfy auditors. Here are steps practices can take to protect patient information-and pass an audit.

Don’t put off your internal audit

Inventory where patient information is stored, accessed, or transmitted. 

Most physicians think their EHR is their only repository of patient records but patient information can be in a word document or spreadsheet as a billing report. Patient information could also be in emails or text messages. 

 

Evaluate common threats to patient information

The likelihood of a threat and the impact of the threat if it occurs should also be analyzed. How are practices protecting information in the case of fire or flood, or lost or stolen laptops containing patient information, or sending emails to the wrong patient? 

Again, have a policy in place and make sure patient information is secure and protected if it’s stored on a laptop and the physician takes it home. 

Acquire additional security

A  security risk assessment will identify additional security measures to reduce the likelihood of a threat and its impact. 

Identify access

Track access to ePHI and patient data to detect unauthorized access.

Encrypt your data 

Don’t just protect against attacks but help alleviate any potential penalties as auditors will take into account whether a practice did all it could to protect the data. 

Related Videos
Emma Schuering: ©Polsinelli
Emma Schuering: ©Polsinelli
Scott Dewey: ©PayrHealth
Related Content
Medicare fraud trial ©MaksymYamilianov - stock.adobe.com
November 21st 2024

Dallas jury finds practice liable for Medicare fraud that could result in more than $300 million in penalties

Ep 40: Malpractice caps and nuclear verdicts with Bob White, the Doctors Company
September 20th 2024

Ep 40: Malpractice caps and nuclear verdicts with Bob White, the Doctors Company

© Barclay Damon LLP
November 21st 2024

Physician discipline in the new age of telehealth

Ep 34: U.S. Rep. Earl L. 'Buddy' Carter on physicians getting involved in policy
June 28th 2024

Ep 34: U.S. Rep. Earl L. 'Buddy' Carter on physicians getting involved in policy

© Reset Medical and Wellness Center
November 14th 2024

What primary care physicians should know about NSR treatment

© rogerphoto - stock.adobe.com
November 12th 2024

AMA supports additional oversight for nonprofit hospital charity care