What to Do After the Risk Assessment
After the assessment is over, it's time to move forward to mitigate issues and fill gaps where breaches could occur.
Risk assessments are not only required by HIPAA, but they are supposed to be performed annually by anyone receiving meaningful use funds. It's important to know, however, that a risk assessment isn't the end of your office's duties. After the assessment is over, it's time to move forward to mitigate issues and fill gaps where breaches could occur.
“Part of the reality of security management is you are never done and it's never perfect,” said Gary Pritts, president of Eagle Consulting Partners in Cleveland. “It's like maintaining an old house … you are always living with some degree of imperfection.”
Jay Hodes, president of Colington Consulting in Washington, D.C., said when he completes a risk assessment for a client there are pages of actionable items that have to be sifted through afterward. Any risk assessment should reveal a host of things that need to be changed. This can be daunting, but breaking it down and setting priorities can make it more manageable.
“There is always a real hesitancy leading up to a risk assessment but it's not a gotcha exercise,” Hodes said. “An assessment is done to identify problems before they become breaches. It becomes a real eye-opening experience.”
The first step to take after receiving or completing an assessment is to prioritize the risks. There are a couple of ways to do this. One is to determine the areas that present the greatest potential problems. The second is to pick the low-hanging fruit that will be easier to mitigate.
High priority areas might be those that focus on personnel who have frequent access to private health information. Protective measures could include encrypting laptops or getting a redundant internet connection, particularly if using a cloud-based system.
To make compliance more manageable, Cindy Winn, deputy director of consulting with the Fox Group LLC, based in Upland, Calif., said she often has clients focus on 1 thing at a time and start small to build confidence. Something like password management is a good first move. An administrator can analyze password management and put systems in place that don't allow people to use the same password twice or ensure that passwords are changed every 90 days. Another easy procedure to implement is regularly checking data backup to ensure it is working properly.
The next step is to create a work plan. Hodes said this could be as easy as using an Excel spreadsheet with a list identifying all of the risks. He recommends dividing up tasks among the staff and noting on the spreadsheet who is assigned to what. Descriptions of each task should note what is currently being done in each area, recommendations to mitigate the problem, a timeline for completing the task, the status, and a date of completion. It may also be good to note what kind of access someone might need to complete the task or vendors who need to be included in the process.
“They may just need to make sure proper policies and procedures are in place,” Hodes said. “In the smaller provider community, it's usually not the case … it's not that they don't want to be compliant, it's just that they don't understand how to.”
Within 4–8 weeks, there should be a follow-up meeting to gauge everyone's progress, Hodes said. This meeting could include the HIPAA security and privacy official (which every office should have and may be the same person), someone from human resources (if the office has one), in-house or external IT staff, the doctor in charge of compliance oversight, and legal counsel, if the doctor thinks it is pertinent.
Documentation of the process and follow up on remediation practices are critical, Hodes said. Some of the mitigation may take time. That's normal, he said, but it is important to have someone accountable for systematically following up on the process.
“They should show they are doing something about the risk analysis and recommendations, but it doesn't necessarily have to be everything,” Pritts said.
Areas to Focus on After a Risk Assessment
Here's a list of areas that small providers often need to focus on after a risk assessment, according to Gary Pritts, president of Eagle Consulting Partners in Cleveland.
- Do you have insurance for business interruption or a data breach?
- Do you have a redundant internet connection, particularly for cloud-based organizations?
- With server-based systems, software security flaws are the most common cause of breaches. This can be mitigated through using software security patches from providers including Microsoft, Adobe, Java, and any browsers used.
- Encryption of all mobile devices that have public health information.
- Implementation of a robust backup regimen including copies in multiple places and daily monitoring of the backup.