By: A Dental Blueprint for Success
HIPAA risk assessment should be top of the list to prevent a security breach in the personal health information in your dental office. This kind of breach could be catastrophic for your finances, your reputation, and especially for patient trust. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 set out the requirements for protecting patients’ health records, and that’s why it’s so important to make your office HIPAA compliant. But how can you be sure your patient records are secure? Where do you begin your risk assessment, and what should you do about problems you find? Here are a few basics to get you started. The first step in HIPAA risk assessment is to look at the personal health information itself: where are the files located—in a file room, online, or both? Do you ever receive them from elsewhere, transmit them to others, or make them available online to patients? All these external connections can be points of vulnerability in your dental office. And in fact, that’s the next step: identify where these health records are vulnerable and what the potential threats might be. Hire an IT professional or a cybersecurity expert for this, and once the vulnerabilities are found, assess the steps already being taken to protect the health records. It’s very possible that the protections you’ve already put on patients’ personal health information are not adequate. That’s where your security expert will play a crucial role, helping you strengthen these protections. This professional can also assess whether your dental office employees are even following existing security protocols. Then he or she can establish stronger protocols, engage in employee training, and establish ways to monitor for breaches of these standards. HIPAA compliance relies, at least in part, on every employee buying into the importance of protecting patient health records. You can use the HIPAA risk assessment tool that the Office for Civil Rights, the overseer of HIPAA compliance, has made available for download. Answering the questions asked can help you evaluate the situation with your patient’s personal health information. However, this tool can only deal in generalities and can’t guarantee that you find every vulnerability and plug every hole. The heavy lifting should still be done by a person hired as the security expert in your dental office because only someone “on the ground” can properly assign different risk levels and tailor policies and procedures to your specific situation. Once you’ve conducted your assessment and developed policies to protect patient’s personal health information, you are not quite done. What happens when an employee leaves? You need ways to ensure that former employees of your dental office can no longer access the health records. You also need a schedule of regular reassessments, in case your risk levels change. To be HIPAA compliant and make patient information as secure as possible, be sure to take all the necessary steps to conduct a strong, thorough HIPAA risk assessment.