In the ten years between 2009 and 2019, hackers broke into health information systems nearly 1500 times. In total, around 170 million Americans were affected.
These breaches had real and serious consequences for both the victims and the providers who failed to properly secure their data. They led to a change in HIPAA requirements and a crackdown on non-compliant entities.
Keep reading to learn how a health information system risk assessment can protect your organization and your patients today.
HIPAA and Data Security
When hospitals first began using computers to manage and track their operations and patient electronic medical records (EMR), there were no established rules to follow. Each facility did what it thought was best.
As the use of EMR and other digital systems expanded, so did the vulnerability of the personal data being tracked. The US Department of Health and Human Services (HHS) set out to ensure that all patients’ personal data was adequately protected. The result was the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HIPPA came to consist of several parts. Of critical importance to providers are the Privacy Rule and the Security Rule. The Privacy Rule dictates what patient information must be protected. The Security Rule lays out the minimum protections required for all qualifying data.
Who Is Subject to HIPAA?
HIPAA law applies to anyone who handles patients’ private information. This includes, but is not limited to:
- Providers
- Insurance companies
- Researchers
- Partner and support agencies
HIPAA compliance is required for both entity operations and their health information systems (HIS).
What Qualifies as a HIS?
Any system that collects, manages, stores, or transmits patients’ personal healthcare information is a HIS. Common examples of HIS include:
- Practice Management Software programs
- Electronic Medical Record systems
- Online patient or provider portals
- Clinical Decision Support tools
- Telehealth and Remote Patient Monitoring programs
- Master Patient Indexes
What Is a Health Information System Risk Assessment?
A HIS risk assessment is a systematic review of an entity’s HIS to determine:
- HIPAA compliance
- System weaknesses and vulnerabilities
- Operational or practice-based threats to data safety
A good assessment gives operators a clear picture of:
- What threats they face
- How serious the threats are
- The cost of a breach resulting from the identified vulnerability
- What needs to happen to protect the data or resolve the threat
Common vulnerabilities and threats include:
- Opportunities for data tampering
- Lack of appropriate backups and redundancies
- Lack of security barriers to prevent unauthorized access
- Inadequate securing of hardware such as laptops
- Failure of medical staff to use the system and its controls properly
For best results, HIPAA assessments should be done by a trained and experienced third-party. This prevents internal bias or oversight. It also allows entities to tap into the larger experience base such experts bring to the assessment.
This can lead to new and better solutions that the entity was unaware of.
Who Needs One?
Every entity subject to HIPAA compliance needs to complete a HIS risk assessment regularly. Organizations and companies that partner with or serve covered entities should also conduct risk assessments if they handle private patient information in any way.
How Often Should You Perform an Assessment?
Medical organizations and their partners should perform risk assessments regularly. The exact frequency will depend on many factors but, at a minimum, risk assessments should be done:
- Once or twice per year
- Whenever the hardware, software, or systems in use change
- Whenever entity policies and practices around data change
- Whenever entity partners or support service providers change
This ensures that providers do not miss weaknesses that may develop either over time or when established practices and protections change.
Benefits of Performing an Assessment
Enforcement of the HIPPA Security Rule falls to the Office for Civil Rights (OCR). In recent years, the OCR has doubled-down on enforcement. It has levied massive fines against non-compliant entities in an effort to protect patient data.
HIS risk assessments can save entities from becoming the next to suffer fines and other penalties. They also:
- Protect patients
- Protect providers
- Provide key insights
- Improve provider operations
Risk assessments reduce the likelihood that patient information will be stolen. This naturally reduces the risk that entities will suffer the embarrassment, reputation damage, and costly legal liability associated with information breaches.
Assessments do more than that, however. Particularly if they are performed by experienced third-party experts. Assessments:
- Identify better administration practices entities can use
- Identify gaps in training and implementation among entity staff
- Save entities money by locating problems while they are small and easily fixable
- Increase patient confidence and participation in EMR systems
- Improve entity staff’s understanding and awareness of and respect for HIPAA law
Finally, it’s important to note that risk assessments are not optional. They are a mandatory part of HIPAA compliance. Performing HIS risk assessments is part of every entity’s minimum responsibilities under the law.
How to Get Started
If your electronic records and HIS are overdue for a review, where do you start?
First, make the decision to bring in a third-party rather than trying to perform the assessment yourself. This will give you the best possible results and return on investment.
Second, understand what your assessment needs to include. Good assessors will:
- Review your HIPAA documentation
- Perform the risk assessment
- Assist with corrective staff training, where needed
- Have certified IT experts who can help you fix technical problems they find
- Provide emergency support in the event of a breach
- Assist you in answering questions about your security during OCR audits
- Provide backup, disaster recovery, and IT support services
Third, schedule your risk assessment as soon as possible. This limits the risk of a breach or OCR audit before you have a chance to identify and correct any problems.
Schedule Your Assessment Now
Let our first-class experts perform your health information system risk assessment right away. Use our convenient online form to get more information or set a date for your assessment now to ensure your entity has the data protection it needs.