A new approach to risk analysis in the dental practice
Simply performing an online risk analysis may not be enough to properly protect your dental practice.
In a previous article, I talked about the need for a risk assessment/analysis and why it is critical for every office have one. I mentioned that taking an online risk assessment is one method to accomplish this. While I still feel that part of the risk assessment can be done online, new information leads me to believe that a more comprehensive approach is indicated.
As many offices know, the Office of Civil Rights oversees the HIPAA program. In 2012, a series of 150 random audits were performed and the results tabulated and reviewed. To nobody’s surprise, the results showed that many practitioners were not adequately meeting the HIPAA standards. In an attempt to increase compliance, the number of random audits was increased to 1,200 for 2016. The first round of these audits was sent out on July 11.
One of the critical areas of concern that the audits discovered was the absence of a risk assessment. Most dentists understand this concept as it relates directly to how we treat patients. When a patient comes to your office for the first time, you perform a series of diagnostic tests to determine what pathology or other issues exist, and based on those tests, you can then develop an appropriate treatment plan. Well, HIPAA compliance works the same way: How can you take the necessary steps to get compliant unless you know which areas you aren’t compliant in? This is exactly what a risk assessment accomplishes: It identifies where the practice is at risk, so that you can then develop a plan to mitigate this risk.
The challenge for many offices is that there are three specific areas where practices can be at risk, and all of these have to be evaluated. The first is physical. Are your computers locked down? What about the charts? Is there an alarm system or monitoring? Secondly, there is administrative risk. Do you have systems in place to notify patients in the event of a breach? Have you adequately trained your staff? Do you have Incident reports filed properly? Finally, the one that most people focus on, is technical risk. Do you have firewalls in place? Antivirus software? Are your backups meeting HIPAA regulations? Is everything encrypted?
Continue to page two to learn about the consequences if you don't act on your risk analysis...