November 5, 2013

Hi Jennifer -

Our hardware vendor continues to recommend that we have a HIPAA Security Risk Analysis done.  Is this something that you recommend?  I would very much appreciate your thoughts on the subject.



This is definitely a rhetorical question I wish more practices were asking.  The answer is, of course its a good idea!  Does a HIPAA Security Risk Analysis have to be blown out of proportion or life-altering?  No.  A HIPAA security risk analysis could be as simple as having your compliance officer (who may be you) put together a simple check list, including, but not limited to the following:
  • Are our HIPAA policies up to date (with the new changes effective September 2013)?
  • Do we comply with patient requests properly?
  • Is information created, maintained and/or stored at the practice protected?
  • Is our electronic information password protected?
  • Are our emails encrypted?
  • Is our system protected?
  • Do we have a system for protecting against breaches (have we adopted a Breach Notification Policy?)?
  • Does each user of our system have a unique password?
  • Do our computers automatically password lock?
  • Do we have Business Associate Agreements with all of our vendors or third parties with access to our system?
  • Have we properly trained our staff to identify and respond to potential HIPAA issues/breaches?

A HIPAA Risk Analysis may certainly be more comprehensive than the above framework and will likely involve more than one member of your support team to assist (i.e., your lawyer, EHR company, etc).   

For a review of your policies and procedures or to discuss potential HIPAA exposure, contact Jennifer.  Looking for a policy update, concerned your policies are not up to snuff, or having trouble getting patients to sign your policies? CLICK HERE.