Arguably Most Important
The HIPAA Risk Analysis is arguably one of the most important pieces to the HIPAA Puzzle. When dealing with ePHI it is becoming increasingly difficult to ward off cyber attacks, and identity thieves. A thorough risk assessment should tell you everything you need to know about your network security and how to keep ePHI secure! The risk analysis should provide you with vast amounts of useful data to create an audit trail for the future, and to help create and/or modify your Policies and Procedures.
Your Network Scan
Your risk assessment should begin with an external network scan. That means someone should be trying to access your network externally through the ports in your server/firewall. If there are any ports open to the internet, you are not HIPAA Compliant. This scan will be able to isolate the issues and provide the solution.
The next step in any risk assessment should be the internal network scan. This process will dive into the structure of your network, the data pathways, connected devices, user software, account credentials, and server logs/access logs. This is important because you should be able to locate, and define any ePHI on you network. If during this scan you discover that employees are saving content on their workstations instead of the central server, you will now be able to prevent any future damages. Keeping ePHI stored in a central server location means you will be able to monitor its access, as well as make sure all ePHI at rest is encrypted.
These next steps are the last two in the risk analysis process. Once you have done all the necessary scanning and network structure Identification, you need to ask the HIPAA Compliance Officer a few questions about the inner workings of the facility. These questions will be Policies and Procedures oriented. By that I mean, you should be asking questions that directly relate to you Administrative, Technical, and Physical safeguards defined in the Security Rule. You will need to document all these steps in the risk assessment process in order to provide the necessary audit trail or Proof of HIPAA Compliance.
Once you have completed our onsite interview with the HIPAA Compliance Officer, you will need to accrue the data from the scans and interview process. When this data is organized and available an onsite inspection should be performed. This means you will be walking around the office and performing securities checks with all the access points in the office. If there are visible screens with ePHI or access to places like the Telecom room, you will need to make some major adjustments in the way you physically secure your ePHI and access to it.
Compiling The Findings
Now that the analysis process is complete, the real work begins. Compiling vast amounts of data and organizing it in such a way that an auditor with no IT or Doctoral knowledge can come in and understand that you are making “Reasonable and Appropriate” efforts to protect electronic and physical protected health information. If you can’t provide said documentation, you will find that the HIPAA Auditors willbe looking for a thread to unravel the hypothetical HIPAA Security sweater around your company. Don’t let something you don’t completely understand keep you from obeying the law. Sign up for a Risk Assessment today with Proponent IT. We will provide all the information you need and more. HIPAA Compliance Management is our specialty and we are here to walk you through the process on step at a time. For more information Click here…