Conducting a risk analysis key for HIPAA compliance

It is important for dentists to conduct a Security Rule risk analysis as required by the Health Insurance Portability and Accountability Act (HIPAA) to protect their patients’ information and minimize liability risk.  A recent review of HIPAA enforcement actions reveals that entities were penalized for not having a documented risk analysis or for having an incomplete analysis.

Congress passed HIPAA in 1996 to simplify, and thereby reduce the cost of, the administration of health care. HIPAA does this by encouraging the use of electronic transactions between health care providers and payers, thereby reducing paperwork. Congress deemed that if the electronic transmission of patient health information was to be encouraged by the legislation, there needed to be means to protect the confidentiality of that information, and thus, the HIPAA Security Rule was created.

One of the ways dentists can be in compliance with the HIPAA Security Rule is to have a documented risk analysis conducted on their practices’ information systems.

The U.S. Department of Health and Human Services (HHS) outlines a risk analysis as follows: “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”

Dentists may utilize the sample risk assessment worksheet contained in the ADA Practical Guide to HIPAA Compliance. Dentists who are not tech savvy may want to utilize a tech consultant to look at how electronic information is stored and transmitted at their practice and to identify risks and threats to the system.

“A risk analysis will help a practice map out a plan and make recommendations on the weaknesses that the dentist needs to focus on,” said Rami J. Zreikat, one California IT professional with 25 years of experience. Zreikat will lead a lecture on the topic at CDA Presents The Art and Science of Dentistry in Anaheim on May 16.

There is no single method or way to conduct a risk analysis that is a surefire path toward compliance with the HIPAA security rule. The HHS has laid out a process for common steps, however. The following are provided as examples of steps that covered entities could apply to their environment.

1. Identify the scope of the analysis.
2. Gather data.
3. Identify and document potential threats and vulnerabilities.
4. Assess current security measures.
5. Determine the likelihood of threat occurrence.
6. Determine the potential impact of threat occurrence.
7. Determine the level of risk.
8. Identify security measures and finalize documentation.

For more details on these steps, visit the Department of Health and Human Services website.

Other things dentists can do to protect themselves include, among other things, instituting a system to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports; designating one staff person to be the “security officer” (similar to the designation of a privacy officer as required by the HIPAA Privacy Rule); and having business associate agreements that require compliance with the Security Rule and notification of data breaches that occur with the respective business associate.

Secure electronic transmission of protected health information is one of the many requirements of the HIPAA Security Rule. Dental practices should review the rule requirements to ensure compliance. The HIPAA Security Rule: A Summary resource can be found on cda.org. Also, HHS has on its site a Guidance on Risk Analysis.

For more information on patient privacy and HIPAA requirements, visit cda.org/Privacy-HIPAA.