HIPAA Education

HIPAA EducationEssentials for a successful security risk assessment

February 06, 2014  | Salvador Lopez – Content Writer, CareCloud – HIPAA Education
Beyond the inevitable loss of patient trust, there are two important reasons your practice should perform a yearly security risk analysis on the patient data held in your EHR and other electronic devices.

First off, security breaches can lead to serious financial losses. HIPAA penalties can cost as much as $50,000 for a single violation depending on severity. Add to this any litigation brought forth by compromised patients, and the costs become astronomical.

Additionally, conducting a security risk analysis and correcting deficiencies is a core requirement for both meaningful use Stage 1 and Stage 2.

These three steps explain how to conduct an effective security risk analysis:

1. Review HIPAA standards Meaningful use’s security risk analysis requirement is based on the HIPAA Security Rule of 1996. Even for those not looking to attest, it is the standard by which the federal government judges patient information protection. Therefore, familiarizing yourself with HIPAA standards is the first step.

As with any piece of legislation, the security rule is lengthy. But HHS provides a much shorter summary overview of the rule, which includes requirements your practice must comply with to avoid penalties.

Because the rule was updated in late 2013, it’s important to review the content even if you’re already somewhat familiar with it. Among other things, the omnibus update altered the definition of business associate and increased patient access to protected health information (PHI).

2. Identify vulnerabilities Since the responsibility of protecting PHI falls solely on providers, even practices with meaningful use-certified EHRs need to protect themselves against breaches.

Be sure to check your EHR’s user access controls. If not properly configured, unauthorized staff members or even an intruder may gain access to sensitive patient information.

Also focus on drafting a strong security policy. Ambiguity can result in processes that put patient information at risk. Not having a policy is even worse, as it can push you into legal issues.

Portable devices are another area where security can go awry. Many security breach horror stories involve staff members leaving USB drives or laptops with patient information in places easily accessible to thieves. Make sure your staff is fully aware of this potential liability.

3. Implement updates To meet meaningful use – and for patient data security in general – you’ll have to implement changes to fix identified security risks.

Every employee authorized to access your EHR should be given a unique username and password. Accessing the EHR while under another’s username is strictly forbidden. Tying each employee to a particular username makes it easier to track the source of a breach.

Include user access control protocols in your written policy. Other important areas to cover in your practice’s policy include data backup procedures, HIPAA rules for security breach notification and best practices for using portable devices.

A preemptive security risk analysis should prevent your practice from falling victim to a security breach. Putting effort into protecting patient data ahead of time can save you from severe financial headaches down the line.

The Tier3MD website is loaded with valuable HIPAA information.  As a Business Associate, we take HIPAA very seriously, and the safety of your ePHI is very important to us.  If you would like a HIPAA consultation, please contact us at 1-855-MYTIER3, or email us at mbrown@tier3md.com.

Salvador Lopez is a writer focusing on practice marketing, practice management, patient treatment and practice workflow.

Tier3MD Educational Links

Covered Entity


HIPAA Enforcement Rules

HIPAA Privacy Rule

Breach Notification Rule