Lessons for Physician Practices from their Security Risk Assessment

Author: By Todd McDonagh, Principal & CEO

Dec 15, 2022 | Risk

Far too often, physician practices leave the heavy lifting of their Security Risk Assessment (SRA) to their IT team, IT vendor, or Managed Service Provider (MSP). It is true that much of the SRA focuses on technical safeguards, but it is critical that elements of the administrative and physical safeguards aren’t overlooked. There are three areas that often take a back seat year after year: applying workflows into the policies, inconsistent disposal of physical PHI, and additional HIPAA training beyond just the annual requirements.

Most physician practices do a decent job with processes for authorizations, workstation use, employee access to PHI, emailing, and password management, but often these processes aren’t incorporated into the HIPAA Policy manual. If your practice had a reportable incident, there is a high likelihood that boilerplate policies will not hold up. The Office of Civil Rights (OCR) will expect to see workflows that are specific to your practice, so those well-established processes need to be written into your HIPAA Policy manual.

Without fail, every year during our site visits, we come across incidences of physical PHI not being managed properly. Even though technology has immersed itself into the practice’s operations, physical PHI can still find its way into improper receptacles. If you use secondary containers to collect physical PHI before disposing into a lock box, those containers should be well marked with signage informing people not to throw away its contents. The best practice is to have enough lock boxes so secondary containers aren’t necessary. Employees should also understand that all physical PHI needs to find its way to the lock box throughout the day and that your work area should be devoid of physical PHI before you leave for the day.

According to the Security Rule, HIPAA training is required periodically. Most physician practices meet this requirement by holding annual training sessions. To establish a culture of privacy and security compliance, this annual training needs to be augmented with a regular cycle of cybersecurity training and quarterly HIPAA updates during company or staff meetings. IT threats are continuous and changing all of the time. Your employees need to understand how their behavior can potentially cause a risk. Phishing exercises should be conducted several times throughout the year and employees should feel comfortable bringing unusual email or IT behavior to the practice’s help desk.

Working through these simple safeguards does an excellent job to reinforce your practice’s commitment to HIPAA compliance. The HIPAA Safe Harbor Law, which was passed in January 2021, identifies 5 major threats, and if a practice has solid cybersecurity practices in place they limit their exposure in a reportable situation – but paying attention to the small stuff is equally as important.