As discussed in previous articles, HIPAA has changed the way that dental practices need to operate. Not only do dentists need to be current on the latest technology and IT systems, but they must also ensure that they incorporate technologies in a HIPAA compliant manner.
While we’ve looked at things from a technical standpoint, most offices that have gone through the process of HIPAA compliance realize there are many administrative parts of HIPAA as well. In fact, more than 50% of all HIPAA rules and regulations are administrative in nature.
While we will examine many of these in the coming months, there is one critical component that should be talked about first, as most HIPAA auditors will ask for this the minute they walk through the door, and that is a copy of your most recent risk analysis.
What is a risk analysis and why is it important? Well, HIPAA section 164.308(a)(1)(ii)(A) is quite clear, and it states, “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health
information held by the covered entity or business associate.” This is a required section, so you must do this. Another section, 164.316(b)(2)(iii), says you must update it periodically.
So that's easy, right? Wrong! Because the people that put together HIPAA were purposely vague about the details. They understood that a risk analysis in a dental office is much different than one in a multi-location hospital, so they left it up to the covered entity (you) to figure out the details.
Determine where the vulnerabilities exist.
Determine what threats your network faces.
Determine where you are at risk.
Identify and document threats and vulnerabilities.
Assess your current security measures.
Determine the likelihood of threat occurrence.
Determine the level of risk.
Finalize the documentation.
There are many ways to do a risk analysis. We offer a free one on our website at www.thedigitaldentist.com/risk-assessment and there are HIPAA professionals who can assist you to do similar assessments either remotely or onsite.
As far as the frequency, that is also up for debate. I recommend doing a risk analysis yearly, but if there haven’t been any significant changes to your practice, you can argue that every 2-3 years is also appropriate.