Risky business: HIPAA compliance and the importance of risk analysis assessments

Article

As we have discussed in many previous articles, HIPAA has changed the way that dental practices need to operate. Not only do dentists need to be current on the latest technology and IT systems, but they must also ensure that they incorporate technologies in a HIPAA-compliant manner.

As we have discussed in many previous articles, HIPAA has changed the way that dental practices need to operate. Not only do dentists need to be current on the latest technology and IT systems, but they must also ensure that they incorporate technologies in a HIPAA-compliant manner.

While we’ve looked at things from a technical standpoint in the past, most offices that have gone through the process of HIPAA compliance realize that there are many administrative parts of HIPAA as well. In fact, more than 50 percent of all HIPAA rules and regulations are administrative in nature.

More from Dr. Lavine: To encrypt or not to encrypt ... it's not really a question!

While we will examine many of these in the coming months, there is one critical component that should be talked about first, as most HIPAA auditors will ask for this the minute they walk through the door: a copy of your most recent risk analysis.

What is a risk analysis and why is it important?  Well, HIPAA section 164.308(a)(1)(ii)(A) is quite clear, and it states, “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” This is a required section; you must do this. Another section, 164.316(b)(2)(iii), says you must update it periodically.

Easy, right? Wrong! Because the people that put together HIPAA were purposely vague about the details. They understood that a risk analysis in a dental office is much different than one in a multi-location hospital, so they left it up to the covered entity (you) to figure out the details.

More from Dr. Lavine: The 5 crucial components of a HIPAA contingency plan

I would recommend that the following constitute a risk analysis:

  • Determine where vulnerabilities exist.

  • Determine what threats your network faces.

  • Determine where you are at risk.

  • Collect data.

  • Identify and document threats and vulnerabilities

  • Assess your current security measures

  • Determine the likelihood of threat occurrence

  • Determine the level of risk

  • Finalize documentation

There are many ways to do a risk analysis. We offer a free one on our website at www.thedigitaldentist.com/risk-assessment. There are HIPAA professionals who can assist you to do similar assessments either remotely or onsite.

As far as the frequency, that is also up for debate. I recommend doing a risk analysis annually, but if there haven’t been any significant changes to your practice, you can argue that every two-to-three years is also appropriate.

Sponsored content: 5 steps to lower your overhead

Recent Videos
Mastermind 42 – Episode 42 – Getting Those 5-Star Reviews for Your Dental Practice Part 2
Mastermind – Episode 41 – Getting Those 5-Star Reviews for your Dental Practice
Mastermind – Episode 39 – Resolving Conflicts in the Dental Practice
Mastermind – Episode 35 – Finding Strength in Our Differences
The Uptime Health Story: An Interview with Uptime Health CEO and Co-Founder Jinesh Patel
2024 Chicago Dental Society Midwinter Meeting – Interview with Peter Maroon, business development and sales lead at Spectrum Solutions® on the new salivary diagnostic test, SimplyPERIO.
GNYDM23 Product Focus: Henry Schein Maxima Turbo Class B Sterilizer with Dyan Jayjack
Related Content
© 2024 MJH Life Sciences

All rights reserved.