What is a HIPAA Security Risk Analysis?

By eHealth Specialist Ann Guilmette

A HIPAA security risk analysis is a process that helps ensure that a practice is following national security standards for protected health information (PHI). It involves a thorough look at a practice, with a particular focus on information technology security standards. As part of the analysis someone in the office--typically a physician or a practice manager--should be designated as the HIPAA security officer, who will:

  1. Train all staff members on data security policies and procedures. Make sure everyone in the practice understands and observes the policies and procedures for PHI. Ensure that policies and procedures are up to date.
  2. Ensure computer screens do not face the reception room or any direction within view of unauthorized personnel.
  3. Train staff to always log out of the electronic health record system when leaving their computer.
  4. Mandate password changes on a regular basis. Ensure passwords are not exchanged, written down, or posted in places where others can see them.
  5. Keep portable hardware containing data secure and stored in a locked location when not in use.
  6. Review audit trails on a regular and periodic basis to identify potential system abuse or misuse.
  7. Maintain a list of the practice's third-party vendors and ensure they all sign a Business Associates Agreement stating that they won't disclose any PHI.
  8. Maintain an inventory of all equipment that stores PHI including equipment stored off site.
    • PHI at Rest is best thought of as PHI that is "stored" in end user devices such as desktop or laptop computers, in file and database servers, in consumer devices such as personal digital assistance and smart phones, and in removable storage media like a USB flash drive, memory card, external hard drive, writeable CD or DVD.

Meaningful Use Core Measure - Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.

In order to attest to this measure, a Security Risk Analysis in accordance with the requirements under 45 CFR 164.308(a)(1) must be conducted annually.

We're here to help! Please contact your eHealth specialist today.