Why Your Practice Needs a HIPAA Security Risk Assessment

There’s an old adage that states “What you don’t know can’t hurt you.” While that might be true in quite a few circumstances, it certainly doesn’t apply to HIPAA compliance. In fact, what you don’t know is likely to come back and haunt you–in the form of a data breach or HIPAA violation. But how do you figure out what you don’t know? How do you know what questions to ask or where to look when it comes to managing, monitoring, and improving your practice’s security stance?

That’s where a HIPAA security risk assessment comes in. If you’re like most practices, you may not have the time, resources, or expertise to do a complete analysis of your security, but that doesn’t mean what you don’t know won’t hurt.

Quick Links

• What is the HIPAA Security Rule?
• What does HIPAA Compliance Require of Medical and Dental Practices?
• What is a HIPAA Security Risk Assessment?
• Why Your Practice Needs a HIPAA Security Risk Assessment

What is the HIPAA Security Rule?

The HIPAA Security Rule provides the standards required nationally to protect electronic Protected Health Information (ePHI) when it is used, transmitted, or stored by healthcare providers. The rule requires three specific types of security measures be employed: administrative, physical, and logical/technical.

More specifically, that means that medical offices and dental practices need to be aware and mindful of:

• Keeping practice hardware and software secure and up-to-date, especially those that use or access a patient’s Electronic Health Record (EHR)
• Creating, maintaining, and reviewing practice security procedures and protocols, including training all staff
• Creating physical barriers between to protect on-premise servers and limiting physical access to computers that store ePHI and practice data
• Limiting or restricting digital access to EHRs  
• Creating, establishing, and enforcing data use agreements with all third party vendors 

While HIPAA has other specific data security rules, this is the foundation. Keeping patient data and EHRs secure is a full-practice effort and any one of these pieces missing can create significant security risks.

What does HIPAA Compliance Require of Medical and Dental Practices

While adhering to the requirements set forth in the Security Rule is a great start, it’s not enough. Just doing those things will not help you achieve HIPAA compliance. In fact, there are distinct foundational rules medical and dental practices will need to adhere to on top of the above. The others include:

The Privacy Rule- A close second to the security rule as this requires proactive efforts to maintain patient privacy. This assures patients that personally identifiable information (PII) will be kept secure and private.

The Breach Notification Rule- Dental or medical providers must inform their patients of data breaches or compromises of data integrity related to protected health information (PHI/ePHI). 

The final rule is referred to as the Omnibus Rule. It modifies and encompasses all of the other rules while adding on the HITECH Act which recommends dental practices switch to EHR and includes the Genetic Information Nondiscrimination Act (GINA).

These are, of course, the overarching rules and, from there, they filter down into everyday procedures and protocols, including requiring things like HIPAA compliant email. Understanding the massive amount of detail included in all of these complex and intersecting regulations practically requires a special degree, one which isn’t offered in dental school. Plus, actually achieving HIPAA compliance demands a solid and detailed understanding of your practice’s IT infrastructure. In the midst of trying to run your practice, and dealing with staffing shortages, finding the resources to focus on IT and security can be a challenge.

However, if you know where to focus those resources, it can save you time, effort, and money.

What is a HIPAA Security Risk Assessment (SRA)?

A HIPAA SRA is performed by a third party and is designed to identify vulnerabilities and risks to ePHI associated with the three aforementioned security requirements (administrative, physical, logical).

More specifically, a risk assessment like the one provided by iCoreConnect’s iCoreHIPAA will provide:

• Detailed explanations, definitions, and examples of your hardware, software, and administrative risks and vulnerabilities 
• An audit-ready final report with recommended, risk-stratified remediation actions so you have a plan to address concerns
• Dashboard tools to streamline that plan and allow you to collaborate with and directly assign tasks to team members
• Templates to build data governance and HIPAA compliant policies appropriate to your organization
• Staff training resources with progress tracking

This way you can be sure you’re addressing any security gaps as well as building a proactive plan to prevent issues before they happen. 

Why Your Practice Needs a HIPAA Security Risk Assessment

The HIPAA Security Rule requires that “covered entities”–like medical and dental practices–conduct a risk assessment of their organization. Even so, one of the biggest reasons most medical offices and dental practices need a third-party HIPAA security risk assessment is that, simply put, most organizations don’t have the expertise or resources.

Larger organizations may have an IT team, but a full risk assessment can be time consuming and often involves more than just an in-depth analysis of hardware and software. More specifically, one of the biggest security risks and challenges organizations of every size face is human error. That means comprehensive staff training is a vital component of any HIPAA security plan.

For smaller organizations, nearly every aspect of a risk assessment can seem daunting and overwhelming. Understanding physical and logical security needs requires experience and expertise, and it’s likely that staff is already consumed by business and practice-critical tasks and responsibilities.

In short, a HIPAA Security Risk Assessment can help you identify your weaknesses and develop a plan to address them without sacrificing time and resources to both initiatives. And, as noted above, a comprehensive plan includes more than just ensuring software is patched and up-to-date. You’ll want to include everything from developing policies and procedures to training staff and ensuring the physical security of any on-site servers.

In fact, your solution may just include investigating how cloud based solutions can help improve your security stance. Regardless, with the ongoing security threats and the need to ensure HIPAA compliance, a risk assessment can help you identify your risks and address the gaps in your security. In the long run, you’ll better protect patients and avoid ending up on the very real HIPAA Wall of Shame!

If you’re ready to take your security to the next level and ensure the safety of your patients and practice, reach out to the iCoreConnect team today and let’s get started.