How to Conduct a HIPAA Security Assessment

Keeping patients’ confidential records secure is of utmost importance to healthcare organisations and the vendors who work alongside them. Not only is the proper safeguarding of information a good practice, it’s the law. The Health Insurance Portability and Accountability Act (HIPAA) seeks to protect the sensitive data of patients and to empower healthcare practitioners to keep that information safe through strong security and privacy policies.
HIPAA does not have specific recommendations for how to best protect much of the electronic storage and transmission that takes place with medical data today. The HIPAA requirements do, however, inform practices on the conceptual frameworks they should or must adhere to in order to achieve compliance. With advancements in medical record technology, it’s imperative that practices consistently check these patient record security and privacy policies to find and resolve gaps and stay HIPAA-compliant. Performing a HIPAA security assessment can help your practice identify potential threats and vulnerabilities and create a plan for improved handling of patient data moving forward.
Here some important steps to include in regular HIPAA security assessments.

Take Inventory

Create a thorough list of all the places your practice stores electronic records, from desktop computers to mobile devices. The scope of your assessment will vary based on the size of the practice, but the idea is the same: Track all the devices in your organisation that contain any information that’s HIPAA-protected. Also, track all vendors your organisation uses that transmit or store PHI for you. You should also include notes on where non-digital, physical copies of information exist. Make sure you include every physical and digital location of ALL patient data, not just full medical records, in this inventory list.
Collect Data

After you know the location of the patient data, it’s time to list the exact information contained at all locations. Part of this step includes asking the question, “Does this data need to exist in this location?” For example, an email database that reminds patients of upcoming appointments may not need more than a name, email address, and the date(s) of the appointment(s). There’s no need for full or partial medical records or Social Security numbers connected to that database. This idea translates to other databases and operations in your practice, too. Store as little information as possible and keep it minimised to as few locations as possible.
Pinpoint Threats

This is perhaps the most difficult part of a HIPAA security assessment because most healthcare practices aren’t fully aware of the threats that exist to electronic data. This is where practices should consider bringing in a professional electronic security assessment company to advise them. Just as your healthcare practice or service employs experts in your field, electronic security firms are experts in theirs. They can look at your HIPAA practices and electronic storage and tell you the exact threats you face and how to mitigate them.
Analyse Security Measures

The starting point for this step is identifying what (if any) security measures are in place. Has anything threatened the current security measures? A security assessment firm can also give input on this point by looking at what you now do to protect HIPAA data and looking for even more secure solutions. Professionals can look at your setup, from stronger firewalls to encryption, and give you feedback on the latest security methods designed to protect the confidential information of patients.
Consider the Likelihood of Threats

In this step, you will combine all the knowledge from previous actions and prioritise potential threats. It’s important to consider both external threats (like hackers) and internal threats (like employees acting carelessly with protected health information or not following protocols). Is there privileged information available to people within the organisation who don’t really need it? The fewer people who have access to protected health information, the smaller the chance of mishandling that data. When it comes to external threats, do a little research into recent medical record hacking and find out how the scammers obtained the information. Does your practice have the same vulnerabilities? If so, how can you prevent them?
Once you’ve determined the likelihood of threats, it’s important to prioritise them. If you’re transmitting medical information in an unencrypted environment, for example, you’ll want to address this threat immediately. All security weaknesses are a problem, of course, but based on the size of your practice and its nature, you will want to make a priority list.
Analyse Potential Threat Impact

If electronic health information leaked, what would that mean for your practice? Violations of privacy would certainly lead to loss of trust from patients but could also lead to more devastating losses and even lawsuits. Take a hard look at what inadequate HIPAA security policies and actions could mean for your practice and then take action.
Create a HIPAA Security Plan

Once you have a thorough picture of where your current HIPAA security measures lie, you can start to build a plan for stronger protection. A risk management plan can help guide a practice through the process of strengthening its data protections. This plan should include actionable steps, a realistic timeline, roles of the practice as a whole, responsibilities of individual employees and vendors, and a date for revisiting the plan for updates and reassessment. This security plan is a blueprint for how you can commit to protecting patient data, electronic and otherwise.
HIPAA compliance has evolved since the laws first went into effect 20 years ago. There are so many information vulnerabilities, especially now with electronic record keeping and transmission, that practices should never assume their data is safe. Conducting a thorough security assessment can relieve some of the HIPAA-protection burden and free healthcare workers to do what they do best: care for patients.

Erik Kangas