According to HealthIT Security, University of Washington Medicine paid a $750,000 fine in 2013 for having no risk assessment in their records.
UWM came under the eye of the Office of Civil Rights after a breach involving a malicious email containing malware, which exposed two sets of data containing almost 100,000 patients’ names, demographics, dates of service, and financial standing with the hospital.
The large fine was imposed in part due to the breach, but the most significant portion of the fine was due to the health system having no risk assessment in place. By not performing a risk assessment, OCR determined that the health system had no idea about any risks to their patients’ data, meaning that their databases may have had more vulnerabilities that were not identified.
What is a Risk Assessment?
Jocelyn Samuels, OCR Director, said in a statement “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”
In our many HIPAA consultations, we have found the lack of a risk assessment to be the most common vulnerability among dentists. The risk assessment can be done internally, at no cost, and is the single-most important thing that you can do to protect yourself from data breach.
There are nine components of a risk assessment that need to be addressed in your risk assessments, and templates are readily available. With the example set by UWM’s fine, we can see that OCR is not accepting lack of knowledge as an excuse for data breach.
You can obtain a Risk Assessment Template through us, by filling out our contact form, and we’ll send you one geared for dental offices.
What you Need to Know
Since having no risk assessment leads to “willful negligence” of the law, you need to know how to create your risk assessment.
- For “the Security Rule”:
- You’ll need a list of every computer, server, router, switch, and everything else on your network that is used to transmit or read patient data.
- You’ll need to ensure that encryption takes place at minimum when data is in motion – this involves emails, backups, and internal network communications. If you’re not sure how to know if you currently use encrypted methods, then contact an IT company for help.
- You’ll need a password policy, detailing how your employees abide by HIPAA laws for data access.
- You’ll want to get a HIPAA consultation from a trusted IT company, as they can run penetration tests and scans to determine exactly where data vulnerabilities may exist.
- For “The Privacy Rule”:
- You’ll need to document how you protect your paper records from theft.
- You’ll need a list of employees, keyholders, and dentists, along with their physical access rights to your data, whether electronic or on paper.
- You’ll need to document your workflow in detail – use your template for guidance.
If you Need Guidance
Here at dmi Networking, we’ve been conducting free HIPAA consultations for years, with the specific aim of beginning or updating your risk assessment. Give us a call for information about our program.
If you’re not quite ready for an IT consultation, then start with the ADA HIPAA Compliance Kit.
Whatever choice you make, do it soon – the Risk Assessment can be done internally, for free, and is your first line of defense against a HIPAA audit.