Regulatory Compliance
C D A J O U R N A L , V O L 4 8 , Nº 5/6
Easy-To-Use Tool Helps Dental Practices Complete HIPAA-Required Analysis CDA Practice Support
O
ne of the essential elements to HIPAA compliance is the completion of an enterprisewide risk analysis. A risk analysis generally is comprised of three parts: ■ A compliance assessment — Is a covered entity in compliance with every element of the HIPAA privacy and security rules? ■ A technical assessment — Does a covered entity have the technology necessary to comply with the technical implementation specifications, or safeguards, of the HIPAA security rule?
A risk assessment — How well is a covered entity prepared to manage the threats and vulnerabilities to the systems that store and communicate protected health information? The risks of not conducting a risk analysis can be severe for small-sized health care providers. On March 3, 2020, the Office for Civil Rights (OCR) announced it had reached a settlement with a medical practice that provides services to over 3,000 patients. OCR found that the practice never conducted a risk analysis and failed to implement security measures sufficient to reduce risks and vulnerabilities to a ■
reasonable and appropriate level. The practice agreed to pay $100,000 and to implement a corrective action plan that includes two years of monitoring.1 Conducting a thorough risk analysis, especially the risk assessment, is a timeconsuming task for a small health care provider. Fortunately, the Office of the National Coordinator for Health Information Technology (ONC) provides a free security risk assessment tool created specifically to assist small businesses.2 ONC recognizes that smaller health care entities face greater challenges in meeting information security standards because of limited resources. The Security Risk Assessment Tool organizes information entered into it and produces reports. The tool can be as useful as the work put into it, much like the usefulness of a business plan to the development of a dental practice. The process forces the user to consider questions it may not have considered before. However, the tool may not account for newer or previously unrecognized risks and vulnerabilities, for example, social media use, and the user should be careful to include these newer risks while entering information into the tool. The information a user enters into the tool is saved on the device of the user’s choosing and is not transferred to or collected by ONC or the Department of Health and Human Services. The user can stop entering information at any point, save the information and continue the process another day. The tool allows an individual to include an inventory of assets that hold PHI and a list of vendors that use PHI. With asset tracking, the tool allows an individual to note each asset’s encryption level, type of information held or used, location, assignment (individual or purpose), internal identifier and disposal status. Vendor tracking includes vendor contact information, M AY/JUNE 2 0 2 0 291
