A HIPAA Risk Assessment is a Learning Experience

If you own a small- to medium-sized physical therapy practice, you are most likely preoccupied with daily operations such as paying bills, marketing your practice, and treating patients. You may know about HIPAA at a high-level—and you may also worry from time to time about a data breach. But, compliance and security are complicated; the regulations are written in legalese. Big organizations have resources that you do not in the form of experts—and time—that they can devote to focus solely on compliance and security. Security consultants are expensive and confusing—and sometimes it’s even hard to distinguish shady vendor fear tactics from real risks for your practice. No one is arguing that there aren’t barriers to understanding and tackling these complicated matters.  

Yet, you really can’t ignore HIPAA. After all, your patients are trusting you with their most private, confidential information. And if that weren’t enough, you’re also required by law to comply.

HIPAA security is getting a lot of press these days, as more healthcare entities are experiencing ransomware, data loss, and unsecured protected health information (PHI) on the Internet. Many healthcare organizations are being fined for one all-too-common infraction: not performing a comprehensive risk assessment. The act of performing a comprehensive risk assessment goes a long way in reducing your risk of unauthorized disclosure of PHI. As a side benefit, once you’ve tackled the almighty risk assessment, you will also be a HIPAA expert (or at least very, very knowledgeable on the subject). With that in mind, here are five ways completing a comprehensive risk assessment can be an educational and empowering experience:

1. You will finally understand what, exactly, you are required to protect.

Healthcare practices have a duty to protect the privacy and security of individually identifiable health information (IIHI) and protected health information (PHI), as defined in the HIPAA regulations. Protected health information is “individually identifiable information” relating to a patient’s health status that is “created, collected, transmitted, or maintained by a HIPAA-covered entity.” Breaking that definition down further, individually identifiable information can be a laundry list of things that could potentially identify an individual, including a social security number, a full-face photograph, and first and last names. This information becomes PHI when you, the healthcare provider, do something with the information (including collecting it, documenting it, storing it, or sending it to a payer for reimbursement).

2. You will grasp the security safeguards required to protect PHI.  

Even if you don’t become an instant expert on the HIPAA Security Rule, embarking on this journey will enable you to confidently identify and complete many of the requirements established in the regulations, such as:

• Perform a risk assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).
• Develop and implement a comprehensive risk management plan that addresses HIPAA security standards and the risks identified in your risk assessment.
• Designate a security official (which can be you, one of your employees, or a consultant—as long as this person is officially named) responsible for planning, conducting, or coordinating the security risk assessment.
• Designate a privacy official (same note as above) responsible for developing and monitoring compliance with company policies and procedures.
• Develop and implement “written privacy policies and procedures” that are consistent with the HIPAA rules. The key word in this requirement is written policies. You can use templates to comply with this step, but you must customize them to your practice. Policies and procedures should denote the person you’ve named as security officer; the staff training requirements you’ve implemented; and the employee sanctions you’ve put in place for HIPAA violations.   
• Maintain reasonable and “appropriate administrative, technical, and physical safeguards” to prevent against unauthorized use or disclosure of PHI. This standard sounds murky, but it means implementing safeguards specific to your practice, such as restricted areas to prevent unauthorized viewing of PHI, asset tagging on company laptops, and encryption of all hardware containing PHI.
• Properly handle all media (e.g., thumb drives and computers) that contain PHI by completely erasing it, properly encrypting it, or destroying it before disposing or repurposing it, so that PHI cannot be recovered.
• Use unique user IDs for all information systems that contain PHI (account sharing is a huge compliance misstep).
• Implement physical security controls, such as a visitor and vendor sign-in sheets or other tracking mechanisms, so you can ensure, for example, that the water delivery person isn’t slipping away with PHI.

3. You will know how to implement steps for disaster-proofing your practice.

HIPAA requires healthcare practices to establish and follow “policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems containing electronic protected health information.” This includes maintaining a regularly updated contingency and disaster recovery plan. While this requirement may seem daunting, at one point or another, you’ve probably wondered how best to respond if a natural disaster were to impact your practice. So, now is a good time to develop your business continuity plan. The Internet is full of helpful resources—such as this blog post by WebPT Chief Compliance Officer Veda Collmer, which is specific to physical therapy and occupational therapy practices. And don’t forget to do your research to learn about your practice management vendors’ disaster recovery and business continuity plans, too. 

4. You will recognize the impact of HIPAA training on PHI security.

Training yourself and your staff on the HIPAA Privacy and Security Rules can have a significant impact on reducing your PHI security risk. HIPAA requires that you train all workforce members, which includes your front-office staff, part-time staff, therapy students, and volunteers—essentially, all individuals who are regularly in your practice, whether or not they have access to PHI. It’s important to have regular training (at least annually) and keep a record of those training sessions (via signup sheets, for example). These trainings do not have to be expensive, but they should be comprehensive. In other words, training should include education on your practice’s HIPAA policies and procedures, how to report a breach, who the Privacy and Security Officer is, and proper uses and disclosures of PHI. There are many free training resources available, some of which Collmer identified in this blog post. 

5. You will better understand your HIPAA business associates’ compliance practices, so you can avoid surprise risks.  

Healthcare practices must establish and maintain working relationships with business associates that are in full compliance with the HIPAA Final Omnibus Rule. By performing the risk assessment, you will understand the regulatory definition of a business associate, be able to identify your business associates, develop a plan for making sure you have signed business associate agreements in place, and implement a strategy for confirming that your business associates are complying with the HIPAA rules.  

Did you pause when you read about a business associate agreement in the previous paragraph? If you are wondering when a business associate agreement is required, it is necessary when another person or entity (not an employee) is involved with the creation, receipt, maintenance, or transmission of PHI on your company’s behalf. So, once you have completed your risk assessment, you can add an action item to your risk management plan to get HIPAA-compliant business associate agreements signed by all business associates.

In summary, HIPAA risk assessments have many benefits beyond the valuable insight you’ll gain from understanding the risks to your PHI. Performing a risk assessment is not easy, and it does take some time. But, it is critical to your ability to provide quality patient care and protect the financial health of your practice.  

SunHawk Consulting’s HIPAA Check™ risk assessment tool—which is available on the WebPT Marketplace and on the SunHawk website—promotes HIPAA compliance by asking questions that help its users understand how the HIPAA privacy, security, and breach rules and regulations apply to them. SunHawk’s proprietary algorithm, which we built from Office of Civil Rights audit requests and audit settlements, then takes the answers to those questions and ranks each section according to the practice’s risk of non-compliance.

Still scratching your head about HIPAA compliance? If you purchase SunHawk Consulting’s HIPAA Check™ risk assessment tool from the WebPT Marketplace, you’ll receive seven free HIPAA policies and procedures to get you started on your quest to HIPAA compliance. In the meantime, here are three more resources to help:

1. OIG Audit Tool
2. The OCR’s “Guidance on Risk Analysis Requirements Under HIPAA Security Rule”
3. The HIPAA Security Series