As a provider of healthcare for patients, your practice is required to ensure that patient data is secure and adequately protected.
Healthcare organizations such as chiropractic practices are regulated by HIPAA and must complete a security risk assessment to look for possible threats to patient information.
If your clinic has not completed a risk assessment yet, here are some tips and more information on this process.
Security assessment and rule basics
HIPAA’s Security Rule requires that covered entities, such as chiropractic practices, complete security risk assessments. In fact, any and all electronic patient health information that your clinic creates, receives from elsewhere, uses, or transmits away from your clinic is subject to the security rule. You are required to not only evaluate your clinic’s risks to patient data, but you are also required to enact reasonable protections to minimize these risks.¹
This rule begins with analysis. Your security risk assessment will help you identify security strengths and weaknesses so that you can sufficiently protect your patients’ information.
As you complete the analysis, you will identify how data is created and used by your clinic. From there, you will look for threats to this data from internal and external sources. You will look at every aspect of data access, creation, and use within your clinic in addition to how data is transmitted outside of your clinic for use or storage.¹
Why security risk assessments are essential
Your security risk assessment will help you correct potential data security problems before they happen. As such, avoiding a risk assessment may result in these threats manifesting themselves.
The assessment process is designed to protect you and your clinic as much as possible. This can help minimize your practice’s liability if the worst happens to your patients’ information.¹
Because the assessment is also required by HIPAA, not completing it violates important healthcare regulations and may result in negative consequences for your practice. The security rule provides specific guidance for conducting a thorough risk assessment, so not doing so would be unwise for your practice.¹
How to assess your own risk
To conduct your own risk assessment, review the security rule and the assessment requirements that apply to your organization. As long as your own assessment method meets security rule standards, you may use your own customized assessment.
Generally speaking, these standards require that your assessment review every aspect of patient data recording, use, access, and transmission. For example, you will be reviewing how staff members in your clinic login and use your EHR, how paper records are handled and stored, what access vendors and consultants have to your patients’ data, and other issues.
You will be looking for ways unauthorized users may try to gain access, considering the possible implications of staff mistakes and reviewing your clinic’s methods for transmitting data to clinical partners. Any situation where patient data is used should be scrutinized very carefully.¹
Although not required, the Office of the National Coordinator for Health Information Technology (ONC) has a downloadable tool available that helps you review your practice’s compliance by asking 156 questions about your clinic. These are straightforward “yes” and “no” questions designed to reveal your practice’s security risks. From there, you can use your answers to suggest areas where you need to improve your patient information security.
Start your security risk assessment
Because risk assessments are such an important prevention strategy, your clinic should make it a priority to review your patient information use. As you conduct your assessment, document each question and answer carefully, providing a plan to address each area of weakness you identify throughout the process.
You may also want to get staff members involved. Your staff may help you identify other issues and solutions, so be sure to ask for their insights.¹
References
¹HHS.gov. “Guidance on Risk Analysis.” U.S. Department of Health & Human Services. http://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html. Accessed: October 2016.
