Performing a Risk Analysis of Your Optometry Practice

Posted by Janelle Pauli on Mon, Dec 23, 2019 @ 03:12 AM

Performing a security risk analysis in your practice keeps your data safe. Risk analysis requires you to look at the way your practice operates and protects patient health information.

Once you conduct a security risk analysis, you can implement security updates as necessary and correct any deficiencies as part of the risk management process.

There are many ways risk analysis of your practice can be performed, so it's important to develop a plan before you dive in. Below we'll take a look at the physical, administrative, technical, policy, and organizational safety requirements that you should be looking at when performing a risk analysis.

What to Review when Performing a Risk Analysis of Your EHR Software

Screen Shot 2019-12-16 at 3.51.01 PMDepending on the size of your practice and resources, some practices may choose to outsource their risk analysis, while others might choose to perform the assessment on their own. The CMS website is a great resource for anything related to HIPAA and Meaningful Use, so we highly recommend you check out their tip sheet if you have further questions.

1. Physical Safety

When it comes to the physical safety of your patients' information in your practice you need to take a look at the building your office is located, computer equipment, and portable devices that you might be accessing the system from. Some things you might want to put into place are building alarm systems, sprinkler systems, locked offices, and privacy screens that shield information from other people in the office.

2. Administrative Safety

In your office it's important to have one person designated as a "security officer" who oversees employee training, controls information access, monitors user activities, and routinely performs risk assessment for your practice.

3. Technical Safety

Here is where things can get a little tricky and technical if you don't have a strong IT background, and where you might want to hire an IT professional to assess your technical security. If you're using a cloud-based EHR some of these things like data encryption and back ups might be handled by the vendor. But, your vendor can't do it all, and there are some things you'll need to do on your own in your practice such as having strong passwords to control access to the system, and using audit logs helps monitor users and EHR activities.

4. Office Policies

Office policies help to make sure that everyone in your office is on the same page and aware of what they need to do to ensure HIPAA compliance. Keeping documentation of security measures in your office will also be helpful in the event of a Meaningful Use audit. 

5. Organizational Requirements

If you're using other software that integrates or works with your EHR software it's important to have business agreements in place. You should also have a plan for identifying and managing other vendors who access, create, or store your patient information.

There's a lot to consider when going through a risk assessment with your practice, but you should be prepared with the resources that the CMS has available to help you. Check these out:

If you want to get all the latest data security and industry news, stay subscribed to our blog.


Editor's Note: This post was originally published in October 2014. It has been updated for relevance and richness of content in December 2019

Tags: Technology, Uprise EHR & PM, Business Management

Looking for tips to grow your eyecare practice business? Read on!