Risk Assessment for HIPAA Breach: The Elephant in the Room

By | January 29, 2015

Performing HIPAA risk assessments is among the list of priorities of practitioners, as it’s necessary to keep their practices and patients protected. However, it’s not as easy as it sounds. Security of patient data is an important part of government regulations that effect physicians’ business and safety of patients’ health data.

What physicians forget most of the time, HIPAA risk assessment is not a one time job. Regular assessment is an issue that healthcare providers conveniently ignore, unless the consequences come to haunt them. Owing to the time and money spend on HIPAA risk assessment; it’s like Dante’s circle of hell that he was afraid to write about. Well, not literally of course!

Health practitioners are aware that applying regular IT checks and conducting risk assessments is an important task, but they have to realize that the frequency with which the security methods are applied and assessed is equally important. The situation is not as easy as it appears to be. More than often, security breaches and HIPAA violations occur in practices and hospitals where IT checks are properly placed.

So, how can health providers address such a sensitive issue and try to find ways to make their data immune to security breach? The simple answer is: by conducting regular HIPAA risk assessments and covering every loophole on its way.

Since, it’s been established that regular risk assessment is the way to ensure security of patient health data; the question arises, “how often should a healthcare facility perform these assessments?” There is no standard way to judge that. Practitioners would have to assess that based on their practice needs, patient flow, and security checks deployed and financial capability.

Information technology security advisors have strongly suggested health providers to keep a strict check on their patient data security by continuously upgrading them. Gary Alterson, director of risk and advisory services for Neohapsis said that although practices are required to conduct HIPAA risk assessments once every year, but it’s not enough for most of the healthcare facilities.

Alterson strongly suggested consistency in risk assessments. He said, “Given the rapidly changing threat environment and how fast IT moves, I recommend that risk assessments be refreshed and reviewed at least quarterly, if not monthly.”

Unfortunately, practitioners have been slacking in this department. Jim Mapes, chief security officer, BestIT, has raised serious concerns regarding the risk assessment. Mapes is of the view that health organizations are having difficult time to keep up with the annual HIPAA risk assessments. That’s why its need of the hour to rethink about their approach toward the process.

Mapes suggested the best approach to ensure regular security risk assessment is to consider this activity more of a life cycle and make it part of your practice’s workflow. He explained the life cycle approach in a comprehensive manner:

  • Perform assessments with equal intervals in a year
  • Identify vulnerable spots every time assessment is carried out
  • Find remedies to the vulnerabilities to avoid repeating them
  • Create a business plan to conduct regular assessments

Undoubtedly, it is crucial for practice to conduct regular assessments for HIPAA risks; however, allocating resources and performing timely assessments are necessary for their success. Security analysts have usually heard the auditees make excuses about lack of time that usually puts their patient data at risk. HIPAA risk audits require elaborate schedules that should be aggressively followed to produce results. True, this will disrupt practice workflow and effect productivity for that duration, but after all the hassle it will secure your patient heal6th information and save your practice from HIPAA violations, which may cost you heavily.


About the Author

Alex Tate is a digital marketing specialist, content strategist, and a health IT Consultant at CureMD who provides perceptive, engaging and informative content on industry wide topics including EHR, EMR, practice management and HIPAA compliance.