At the core of HIPAA security is a process called Risk Management. It sounds much more confusing than it actually is. So what is Risk Management? Here's a simple outline:
- Identify current safeguards and weaknesses
- Implement additional security safeguards
- Go back to step 1
This an oversimplified definition of Risk Management but it illustrates that the process is one that is repeated over and over. Our HIPAA Compliance Guide focuses on some of the things you can do for Step 2 but let’s briefly look at Step 1.
How do you identify how you are protecting patient information and your weaknesses? The HIPAA Security Rule and Meaningful Use requirements call for all organizations to perform a HIPAA Risk Assessment. Let’s look at a simplified definition of a Risk Assessment.
Step 1 – Identify where patient information is stored (EMR, PACS system, email, etc)
Step 2 - Identify threats to patient information (employee loses a laptop with patient information, fire destroys your EMR, a patient is sent another patient’s test results, etc.)
Step 3 – Assess how you are currently protecting patient information (backing up your EMR on a nightly basis, using secure email to send patient information, using anti-virus to protect your systems from viruses, etc.)
Step 4 – Determine your risk for each of the threats that were identified in Step 2. You determine your risk by looking at how likely something is to happen and the impact if it does happen. Let’s look at an example to better explain risk.
Risk of a fire destroying your EMR
How likely is it that a fire will destroy your EMR? The risk is probably very low. Fires happen but the probability of a fire is low.
What is the impact of a fire destroying your EMR? Your first reaction might be “the impact would be huge!” There is no denying that a fire would impact your organization but you have to look at the impact more closely.
Let’s look at the worst case scenario first. If a fire destroys your EMR and the data has not been backed up, all your patient information would be lost forever. You could not recover the information. Months or even years of patient records would be gone. You would have no history of any of your patients. This scenario could put your practice out of business and even jeopardize the health of your patients. It is hard to argue that the impact would not be great.
Let’s look at another scenario where the impact would not be as severe. If your EMR data is backed up on a nightly basis and stored offsite, a fire would not have the same impact as in the first scenario. Yes your server would be destroyed and your patient information would be inaccessible but it would not be lost forever. You could purchase another server from Dell or HP. You can have your IT staff or company setup a new server. You can have your EMR vendor reinstall the EMR software. You can restore your EMR data from backup. It may take some time but you would eventually have your EMR and patient information up and running and accessible once again.
The impact of the second scenario is obviously much less severe than the impact of the first scenario where all your patient information data is lost forever.
Step 5 – Determine additional protections to lower the risk. Using the previous example, if you determined the risk of a fire would be high because you are not backing up your data then implementing a nightly data backup would lower your risk.
Again, these 5 steps are an oversimplified explanation of a Risk Assessment but hopefully it gives you a better understanding of the process. The key is to identify the risks that could have major impact to your organization and identify additional protections that could lower the risks.
By now you may be saying to yourself “Okay, I understand the concept of risk but where are the simple and inexpensive tips I can take to secure patient information?”
Simple and inexpensive tips to secure patient information
A majority of HIPAA related breaches to patient information happen due to lost or stolen portable devices. Portable devices include laptops, USB drives, CDs, DVDs, Backup tapes, Smartphones, etc. These portable devices can hold hundreds or thousands of patient records. There are a few simple and inexpensive ways of protecting portable devices to minimize the risk of losing patient information. Download our guide below for 5 simple and inexpensive tips to stay HIPAA compliant. Four of the tips will focus on portable devices and the fifth tip will look at how good password controls can protect patient information.