Security Risk Assessment

Required Annual Audit

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires any provider who transmits protective health information via digital means to meet a set of national standards that ensures your clients’ privacy.

One of the many requirements is that all organizations who are considered covered entities must conduct an annual Security Risk Assessment and document its findings.  The Office for Civil Rights can fine providers up to $50,000.00 per violation (per client record breached).

There are 9 steps to complete this annual audit:

1. Determine the scope of your risk analysis
   If you are an owner or managing partner of a group practice, now is the time to appoint a HIPAA Security and Privacy Officer.  Train all staff members, and make sure that everyone understands what constitutes Protected Health Information along with its permissible uses and disclosures. Explore the manner in which your practice obtains and manages PHI.
2. Collect data.
   Analyze and update your organization’s Notice of Privacy Practices.  Audit previous and current charts to ensure proper consents are signed and there is an indication that clients were given an opportunity to review the Notice of Privacy Practices.  Assess agency contractors and vendors.  Assure that each have signed Business Associate Agreements and those documents are available for an audit. Analyze and update policies related to financial obligations and payments, ensuring that PCI compliance documentation is available. Interview staff members about the processes they use to assure client information is protected.  Sit in your lobby and analyze the flow of clients as they navigate through check in and check out, noticing possible areas for improvement.
3. Identify potential threats and vulnerabilities.
   Are cabinets and doors sometimes left unlocked? Do you have firewall protection for the wifi your clinicians and staff use vs. the wifi you offer your clients as they wait in the lobby?  What is your office security system like?  Is video captured, stored and destroyed properly?  Can benefits checking conversations be overheard in the lobby? Does your organization have a policy that is followed consistently when clients request access to their data or opt to revoke an existing authorization for their data? What kind of computer equipment is your staff utilizing? Is software adequately funded to include HIPAA compliance?  Are emails encrypted on both sender and user’s end?  Is additional staff training required?  Do your clinicians take laptops home with them?  How is payment information processed and stored?  Does your organization utilize any cloud solutions for data management?  Has your electronic health record notified you of any potential breaches?  Have any of the insurance panels you are contracted with notified you of any breaches?  Is all of this documented somewhere?
4. Assess Your current security measures.
   Document any technical and non-technical safeguards you have in place, including responsible parties, policies and procedures to follow in the event of a breach or to ensure safety of PHI, access controls, encryption protocols, password protocols, automatic log-off.  If you have created internal training programs related to HIPAA compliance, document the curriculum you use, the dates of training, and the individuals that have been trained.  Document the manner in which your organization sanctions staff members found in breach of these procedures.  Analyze or create an emergency action plan.
5. Determine the likelihood of threat occurrence.
   As you analyze and list the potential threats and vulnerabilities, create a strategy for determining the likelihood of risk.  A LIkert scale (low, medium, high or an intensity value from 1-10)  is a useful tool for this strategy.  
6. Determine the potential impact of each threat occurrence.
   Detail the possible outcomes of each data threat. Include disruptions to financial transactions, loss of physical assets, loss of contact records, corruption of data, unauthorized access to patient information.
7. Identify the risk level.
   Review the Likert Scale data from Step 5 and the potential impact of threat occurrence from Step 6 to determine a risk level for your organization (Low, Medium, High).
8. Determine the appropriate security measures and finalize the documentation.
   Document a plan to maintain low risk, to mitigate medium risk or to fix security gaps leading to high risk assessment.  Create timelines for completion of tasks and assign responsibilities to staff members.
9. Periodically review and update the risk assessment.
   Maintain a checklist document that is annually reviewed and signed by your HIPAA Security Officer.