The “Where, What, and How” of Your Risk Assessment

photo: Torley, cc

Back during tax season, we talked about the importance of a “Financial Risk Assessment” – a great method of evaluating how you are handling your practice’s financials, and how to decrease any risks.  This month, we’re bringing it back to the typical HIPAA Risk Assessments that you’re accustomed to hearing about here.

While a risk assessment is necessary, it doesn’t have to be complicated!  To boil down what the US Department of Health & Human Services says, you can think of your risk assessment simply as a “where, what, and how” for your practice.  (See the end of this article for more information that comes directly from HHS.)

Where – The cloud, the locked file cabinet, or even your email – these are all places where PHI is stored or transmitted.   The first step in your risk assessment is identifying all of these places. As the technology used in your practice changes, it’s important to keep the “where” of your risk assessment up to date. It can be tedious process to note all of the areas of your practice where there is a potential for breach.  It’s easy to overlook some places, such as your digital copier/printer or banking software.  Working through the “where” is an integral, albeit time consuming, part of your risk assessment.

What – As in, “What could possibly go wrong?”  A cell phone can get lost or stolen, an email can be hacked, and the cleaning crew has access to your office and could oversee a document… I’m not usually one to take such a negative approach – but once you establish the “where,” it’s time to play the “worst case scenario” game.  “What” lays out all the possible problems that have the potential to lead to “how” – the risk and impact.

How – Lastly, ask yourself, “How likely is it that something will go wrong? How would that risk then impact my client?”  While the likelihood that my cell phone could be lost or stolen is a high risk, the impact of such a breach might be low because of precautions I am already taking with client’s PHI.  For example, my cell phone requires a password (we’ve talked about the importance of this before!), I limit apps, and I have a policy for periodically reviewing and deleting PHI from my phone.

Once you establish the “where, what, and how” of your practice’s risk assessment, the final step is to identify—and take—preventative measures to minimize that risk. A preventative measure can be as simple as ensuring that your client is informed of the risk of sending personal information to you in an email that is not encrypted.  Make a good faith effort to address all risks, prioritizing those that are high likelihood or high risk.

When is the last time you evaluated your risk assessment?  Have you found that your procedures have changed over time, or stayed the same

PS.  I know some folks like to read the source, so here’s more info from HHS:

“As stated in the preamble to the Security Rule, 68 Fed. Reg. 8350 (February 20, 2003), an entity should be able to rely upon the information gathered in complying with the other security standards, for example, its risk assessment and risk management procedures and the Privacy Rule standards, to determine what constitutes a security incident in the context of its business operations.” US Department of Health & Human Services