A thorough security risk assessment is a required component for phase two of Health Insurance Portability and Accountability Act (HIPAA) audits. Small practices may focus these assessments on the security of office computers and portable devices, but there are a number of other areas that need equal attention. While electronic breaches are the most common, security noncompliance in the following five areas can also lead to HIPAA violations and penalties.
1. Paper files
Many practices have switched to electronic health records, but any physical paperwork containing protected health information (PHI) needs to be included in a risk analysis. Physicians Practice explained that patient privacy can be breached by unsecured storage of paperwork. A risk analysis should include measures taken to ensure papers are not being accessed by unauthorized individuals. This includes files that are headed to the shredder. Any papers should be shredded immediately or stored in a safe place until disposal.
2. Environmental threats
A comprehensive risk assessment doesn't just cover human threats. Certain environmental threats can make PHI vulnerable to breach. According to the U.S. Department of Health and Human Services, power failures, chemicals and liquid leakage should all be addressed in a security analysis. Practices should have a back-up plan in place in case security systems are compromised by an unpredictable environmental event.
3. Files of minors
The same standards of security don't always apply to the PHI of adults and that of minors. Physicians Practice explained that the necessary protection measures for minors can be complicated. Most security measures are a matter of common sense, but the rules governing PHI of children is an exception.
"State regulations vary about who can access the medical records of patients younger than 18 [years of age]," Fletcher Lance, national healthcare leader at consulting firm North Highland, told Physicians Practice.
Practices should be familiar with the state laws regarding PHI of minors and be sure to include detailed notes about compliance in a risk assessment.
4. Natural threats
Practices need to have a HIPAA disaster recovery plan in case it is ever hit by a fire, flood or other natural disaster. According to TechTarget, the plan must detail the resources, actions and data that would be needed to protect and reinstate PHI after an unforeseen event. Even though disasters are unlikely, a healthcare provider must be prepared for any damage to their systems. Failure to recover from a natural disaster in a HIPAA-compliant manner can result in violations and fines.
Any computer that a practice uses to access PHI should only be visible to authorized staff. The solution to this problem can be as simple as angling screens away from waiting rooms, windows and hallways. However, the measures taken to remove PHI from the sight of patients and visitors need to be addressed in a security risk assessment. Staff should also use unique passwords to access PHI, and never leave paperwork unattended.