By Dan Gospe
The Nine Components of a Dental Risk Assessment
The Department of Health and Human Services (HHS) requires dental practices to perform a risk assessment as a first step to achieving HIPAA compliance. Although there is no standardized template to follow when documenting your risk assessment, there are nine mandatory components that must be included in your analysis.
Required Components of Your HIPAA Risk Assessment
1. Identify the Scope of your Data
The first step to your risk assessment is to document all of the devices and media which are used for storage or transmission of Protected Health Information. This includes any desktop PC, server, laptop, smartphone, tablet, backup drive, USB drive, router, modem, email address, and any other mechanism or device which can retrieve, transmit or control PHI.
Once all of these mechanisms and devices are documented, they can individually be analyzed as to their specific vulnerabilities and safeguards, creating the basis of a data security map for your dental practice.
2. Data Collection and Storage Methods
Locate and document where patient data is being stored, received, maintained and transmitted. Document the methods that you use for backing up your patients’ data, and document the safety methods in place. Safety methods can include physical locks and data encryption of your backup drives.
3. Identification of Potential Threats and Vulnerabilities
A third-party consultation is recommended for a complete analysis of vulnerabilities to your data. Using a network vulnerability/penetration scan, HIPAA specialists can document and identify any security holes that need to be addressed before reaching compliance. Other threats to data can include items such as physical security, employee access, and patient privacy screens.
4. Current Security Measures in Place
You are probably already following internal policies and procedures which protect your data. These may include encryption, security cameras, or audit trails. Document the current state of your data security along with vulnerabilities that you identify through your risk assessment.
5. Determine the Likelihood of Data Breach
Determine the probability of data breach through each identified risk in section 3. Take into account the size of your office, and security measures in place. These probabilities can be ranked on a scale of “low”, “medium”, and “high”. Medium and high risks should be addressed by implementation of new security protocols such as data encryption and restricted access by employees.
6. Document the Potential Impact of Data Breach
Determine the maximum level of fines levied for each patient involved in a data breach, and determine how many patients have information stored on your network. Additionally, identify the nature of the data being stored – is it only medical records, or is billing data also kept in your office? Document the perceived impact of a full data breach, and keep in mind not only cost, but impact to your brand. Remember that all breaches involve over 500 records must be reported to the press.
7. At this Point, Determine the Level of Risk
Using your risk assessment thus far, estimate the overall level of risk of data breach that exists in youyr dental practice. HHS recommends taking the average of the liklihood (#5) and impact (#6) to determine the level of risk. Along with this portion of the analysis, document a list of corrective actions that will be performed to mitigate risk.
8. Finalize your Documentation
Organize your findings in a professional summary. HHS demands that your risk assessment be assembled into a readable document that contains all of these required components.
9. Periodic Review and Update
Your risk assessment is a “living document.” This means that each year, you must review your risk assessment and add to it. The road to compliance can be long – HHS requires a roadmap to compliance with action being taken to achieve the ultimate goal of full compliance. Adopting new technology might be on the docket for your next risk assessment. Each year, you should document your goals and how you will continue to mitigate risk in your dental practice.
Finding Help with your Risk Assessment
dmi Networking provides dental IT services in Northern California, and is currently offering free onsite HIPAA consultations. Contact us for information on how we can help you with your risk assessment.