Medical Practices must step up their efforts to prevent HIPAA breaches from occurring. A risk analysis can help.
Practices must step up their efforts to prevent HIPAA breaches from occurring. The 2009 Health Information Technology for Economic and Clinical Health Act enhanced HIPAA privacy and security enforcement provisions and increased penalties associated with a breach.
One way to mitigate a security breach is to conduct a risk analysis, a prevention technique that many practices are not taking.
"A risk analysis is a review of the potential risks and the vulnerabilities to your systems that hold electronic protected health information (ePHI)," said attorney Susan A. Miller, during her session, "Get Ready for the New HIPAA Privacy and Security Changes: An Action Plan for Medical Groups," at the Medical Group Management Association (MGMA) Annual Conference on Tuesday, Oct. 8.
In addition to analyzing your systems, a medical practice risk analysis (which is also required under the HIPAA Security rule, and is a meaningful use requirement), includes an assessment of your physical building, tools, staff, vendors, and so on, said Miller, a consultant at Health Transactions, Inc., a technology and compliance consulting company. "You've got to review all of those as you do a risk analysis."
During her session, Miller identified some of the common technologies practices must consider when conducting a risk analysis:
Mobile Devices. Look particularly close at mobile devices, including smartphones, tablets, laptops, and thumb drives, said Miller, noting that loss and theft of mobile tools are the most common problems that lead to HIPAA breaches.
To mitigate risks associated with mobile devices, practices should ensure all protected health information included on mobile devices is encrypted. If information is encrypted, it is not considered a breach if that device is stolen or misplaced.
Machines. Fax machines, copiers, scanners and printers are another important risk area for practices to consider, said Miller, noting that many of these devices contain hard drives filled with protected health information. "You have to put these items on your list when you do a risk analysis," she said. Practices must ensure that they can degauss or otherwise destroyed the hard drive if the device is discarded, sold, or, if it is leased, returned to the owner.
E-mail. Another common risk area for practices is e-mail, said Miller, noting that practices should always ensure that protected health information included in an e-mail is encrypted (or better yet, that it is not included at all). "Instead of sending out e-mail to patients with their PHI in it, you can say [in an e-mail], 'There's something on the portal, go check it out,'" said Miller.
Physical security. Remember that a risk analysis is not just about assessing technology, it is also about securing any PHI (or tools containing ePHI) in your practice. For that reason, Miller says practices must assess locks, doors, windows, devices, workstations, etc, to ensure they are secure.
Robert Tennant, senior policy adviser for MGMA government affairs and Miller's co-presenter, identified some more specific steps practices should take when conducting a risk analysis:
• Review policies and procedures;
• Review where you store PHI;
• Determine whether encryption is warranted and to what extent;
• Review medical record retention and destruction policies to confirm that data is being destroyed properly;
• Look at your top risks and create a cost-effective plan to mitigate risks;
• Update policies and procedures; and
• Train staff on changes.