Performing a security risk analysis in your practice keeps your data safe. Risk analysis requires you to look at the way your practice operates and protects patient health information.
Once you conduct a security risk analysis, you can implement security updates as necessary and correct any deficiencies as part of the risk management process.
There are many ways risk analysis of your practice can be performed, so it's important to develop a plan before you dive in. Below we'll take a look at the physical, administrative, technical, policy, and organizational safety requirements that you should be looking at when performing a risk analysis.
What to Review when Performing a Risk Analysis of Your EHR Software
Depending on the size of your practice and resources, some practices may choose to outsource their risk analysis, while others might choose to perform the assessment on their own. The CMS website is a great resource for anything related to HIPAA and Meaningful Use, so we highly recommend you check out their tip sheet if you have further questions.
1. Physical Safety
When it comes to the physical safety of your patients' information in your practice you need to take a look at the building your office is located, computer equipment, and portable devices that you might be accessing the system from. Some things you might want to put into place are building alarm systems, sprinkler systems, locked offices, and privacy screens that shield information from other people in the office.
2. Administrative Safety
In your office it's important to have one person designated as a "security officer" who oversees employee training, controls information access, monitors user activities, and routinely performs risk assessment for your practice.
3. Technical Safety
Here is where things can get a little tricky and technical if you don't have a strong IT background, and where you might want to hire an IT professional to assess your technical security. If you're using a cloud-based EHR some of these things like data encryption and back ups might be handled by the vendor. But, your vendor can't do it all, and there are some things you'll need to do on your own in your practice such as having strong passwords to control access to the system, and using audit logs helps monitor users and EHR activities.
4. Office Policies
Office policies help to make sure that everyone in your office is on the same page and aware of what they need to do to ensure HIPAA compliance. Keeping documentation of security measures in your office will also be helpful in the event of a Meaningful Use audit.
5. Organizational Requirements
If you're using other software that integrates or works with your EHR software it's important to have business agreements in place. You should also have a plan for identifying and managing other vendors who access, create, or store your patient information.
There's a lot to consider when going through a risk assessment with your practice, but you should be prepared with the resources that the CMS has available to help you. Check these out:
- Guide to Privacy and Security of Health Information
- Eligible Professional Core Measure 9 of 17: Protect Electronic Health Information
- Risk Assessment and HIPAA Security Compliance Starting Points
If you want to get all the latest data security and industry news, stay subscribed to our blog.
Editor's Note: This post was originally published in October 2014. It has been updated for relevance and richness of content in December 2019