Risky business: HIPAA compliance and the importance of risk analysis assessments

December 3, 2015

As we have discussed in many previous articles, HIPAA has changed the way that dental practices need to operate. Not only do dentists need to be current on the latest technology and IT systems, but they must also ensure that they incorporate technologies in a HIPAA-compliant manner.

As we have discussed in many previous articles, HIPAA has changed the way that dental practices need to operate. Not only do dentists need to be current on the latest technology and IT systems, but they must also ensure that they incorporate technologies in a HIPAA-compliant manner.

While we’ve looked at things from a technical standpoint in the past, most offices that have gone through the process of HIPAA compliance realize that there are many administrative parts of HIPAA as well. In fact, more than 50 percent of all HIPAA rules and regulations are administrative in nature.

More from Dr. Lavine: To encrypt or not to encrypt ... it's not really a question!

While we will examine many of these in the coming months, there is one critical component that should be talked about first, as most HIPAA auditors will ask for this the minute they walk through the door: a copy of your most recent risk analysis.

What is a risk analysis and why is it important?  Well, HIPAA section 164.308(a)(1)(ii)(A) is quite clear, and it states, “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” This is a required section; you must do this. Another section, 164.316(b)(2)(iii), says you must update it periodically.

Easy, right? Wrong! Because the people that put together HIPAA were purposely vague about the details. They understood that a risk analysis in a dental office is much different than one in a multi-location hospital, so they left it up to the covered entity (you) to figure out the details.

More from Dr. Lavine: The 5 crucial components of a HIPAA contingency plan

I would recommend that the following constitute a risk analysis:

  • Determine where vulnerabilities exist.

  • Determine what threats your network faces.

  • Determine where you are at risk.

  • Collect data.

  • Identify and document threats and vulnerabilities

  • Assess your current security measures

  • Determine the likelihood of threat occurrence

  • Determine the level of risk

  • Finalize documentation

There are many ways to do a risk analysis. We offer a free one on our website at www.thedigitaldentist.com/risk-assessment. There are HIPAA professionals who can assist you to do similar assessments either remotely or onsite.

As far as the frequency, that is also up for debate. I recommend doing a risk analysis annually, but if there haven’t been any significant changes to your practice, you can argue that every two-to-three years is also appropriate.

Sponsored content: 5 steps to lower your overhead