Patient Privacy: Complete Your Security Risk Assessment

Each year, chiropractic practices are required to complete a security risk assessment to ensure that patient information is being handled properly and is secure. Both HIPAA and MACRA/MIPS identify the need to conduct an annual risk assessment. Although HIPAA does not set a specific date for when this must be completed, MACRA/MIPS does set a deadline for end of the calendar year. Whenever you decide to complete this important task, here are some things to keep in mind:

How Do You Prepare for Your Annual HIPAA Risk Assessment?

There are a few steps you can take to help you prepare for your annual HIPAA risk assessment.

1. Identify the electronic protected health information (ePHI) within your practice. This includes ePHI that you create, receive, maintain, or transmit.
2. Identify external sources of ePHI. These are your business associates that create, receive, maintain, or transmit ePHI on your behalf.
3. Identify human, natural, and environmental threats to information systems that contain ePHI.

How Do You Complete a Risk Assessment?

To complete an accurate and thorough security risk assessment, chiropractic practices must address all six components listed below.

1. Collecting Data: The first step to conducting a security risk assessment (SRA) is identifying where ePHI is created, stored, received, maintained, or transmitted. This includes any devices or software that have the potential to access ePHI (i.e. computers, mobile devices, tablets, electronic medical records platforms, online appointment scheduling software, etc.).

2. Identifying and Documenting Potential Threats and Vulnerabilities: After completing step one, reasonably anticipated threats and vulnerabilities to ePHI must be documented. This includes any vulnerabilities that can be potentially exploited by a threat, and if there is a risk of improper access or disclosure to ePHI as a result of the vulnerability.

3. Assessing Current Security Measures: The next step requires practices to document what security measures they currently have in place protecting ePHI, referred to as HIPAA safeguards. These security measures must meet HIPAA Security Rule guidelines, and be properly configured and maintained.

4. Determining the Likelihood of Threat Occurrence: Based on the threats identified in step 2, practices must determine the likelihood that a potential risk to ePHI will be exploited, leading to an incident.

5. Determining the Potential Impact of Threat Occurrence: Next, it is important to determine the impact that a threat would have if it exploited a vulnerability. Would the impact be severe, moderate, or low?

6. Determining the Level of Risk: Lastly, practices must determine what the level of risk vulnerabilities to ePHI pose. Making this determination allows practices to create remediation plans accordingly to ensure that those that pose the most risk are addressed first.

How Are Vulnerabilities, Threats, and Risks Defined?

The Department of Health and Human Services (HHS) refers to the National Institute of Standards and Technology (NIST) when it comes to cybersecurity.

NIST Special Publication (SP) 800-30 defines:

Vulnerability as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”

Threat as “[t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”

Risk as “The net mission impact considering (1) the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2) the resulting impact if this should occur . . . . [R]isks arise from legal liability or mission loss due to—

1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
2. Unintentional errors and omissions
3. IT disruptions due to natural or man- made disasters
4. Failure to exercise due care and diligence in the implementation and operation of the IT system.”

Although conducting a security risk assessment is an important part of HIPAA, it is just one small component of meeting HIPAA requirements. As ACA’s Preferred HIPAA Solution, Compliancy Group gives chiropractic professionals confidence in their compliance plan, increasing patient loyalty and profitability of their practice, while reducing risk. Click here to find out more about Compliancy Group and HIPAA compliance.