A staggering 83 percent of physicians recently told AMA researchers that their practices have experienced a cyberattack of some type. The 1,300 physicians surveyed also said not enough cybersecurity support is coming from the government that will hold them accountable for a patient information breach.
The larger the practice, the more likely that specialized staff and resources will be available, but even the smallest medical practice must appropriately address HIPAA requirements. Done right, the risk analysis will go beyond limiting legal exposure. It can also help with meeting Merit-based Incentive Payment System (MIPS) requirements.
5 steps, but never “one and done”
HIPAA requirements point to five basic steps in conducting the analysis.
Identify the scope. This includes combining an understanding of the administrative, technical and physical security requirements with a complete inventory of all the devices in your practice that create, receive, maintain or transmit ePHI. The computers and servers that comprise the practice’s electronic health record system are obvious items, but others may not be. Modern photocopiers, for example, contain hard drives that retain images of everything scanned. Be sure to list all portable equipment storing ePHI.
Assess the risk. The purpose here is to identify and document potential vulnerabilities and to assess current security measures. Expect to conduct internal discussions—for example, with the office manager—and to seek external guidance on the current known risks and precautions concerning ePHI. The practice’s legal counsel, government agencies and professional associations are potential sources of information.
Evaluate the risk. Not all risks carry the same weight. It depends on how likely something unwanted is to happen and the anticipated impact. The webinar provides a grid that helps users rate risk—medium, high, critical—based on likelihood of an occurrence and severity of impact.
For example, if the loss of an unencrypted laptop is judged probable given a practice’s operations (perhaps the practice that conducts patient home visits), and the anticipated impact is severe because of the risk of disclosure of ePHI (such as information about the patients being visited that day), then the risk is considered critical. That risk can be ameliorated with laptop encryption. Risks must also be ranked.
Create a plan to address the risk. “Once you rank your different risks, you want to create a work plan to address those risks,’’ Hoffman said. That will require documentation—for example, work plans, the responsible staff member or contractor, budgets, and target dates.
Periodic review and updates to the risk analysis. A general rule of thumb is once a year, given that MIPS is on an annual timetable. “A true risk analysis isn’t a one-and-done deal, it is an ongoing process, especially as practices adopt new and evolving technologies” said Hoffman.