What is a HIPAA Risk Analysis?

The Health Insurance Privacy and Portability Act (HIPAA) was put into place to protect patients' privacy and give them control over how their health care information is used. In the medical field, having a HIPAA plan for your practice is not enough. You must always meet HIPAA compliance regulations, or face a hefty fine and tarnish your reputation with patients. The first step to meeting compliance is to implement a HIPAA Risk Analysis.


About the HIPAA Risk Analysis


The goal of a HIPAA Risk Analysis is to reveal the possible risks and weaknesses to the integrity, confidentiality and availability of electronic protected health information (ePHI). From there, the proper safeguards can be determined to keep the amount of risk to a manageable and acceptable level.


The benefit of a HIPAA Risk Assessment is that once you know the risk level of the organization, you can decide how to lessen those risks effectively. This involves identifying the information your practice needs to protect where that material lives and moves. Once this intelligence has been gathered, a basis for security policies to protect this data can be established.

Here are a few ways that HIPAA IT security policies can be implemented in order to avoid a severe fine for non-compliance:

Access Limitations

Protected Health Information (PHI) is required by HIPAA to be limited to only those who are authorized or granted access rights. As more information is stored on network servers and exchanged among physicians, external partners and patients, covered parties must ensure that data cannot be revealed to snooping and malicious individuals. The system must be set up with password protection and use digital certificates so that only those whom have had files encrypted for them can view the sensitive material.

Transmission Security

PHI must not only be protected while stored, but also when it is being transmitted via a private or public network. This way, the sensitive data is always secure when shared between partners, employees, patients, insurance companies and doctors. Data must be protected at the file level, and not just over communication channels.

Data Integrity

Secure information is not only supposed to be safeguarded against unauthorized viewing, but also against improper destruction or alterations. For those who do not have permission to change the information, access must be denied. In addition, there must be a way for users to know if changes have been made to a document. One way to do this is to employ digital signatures on encrypted data. When a document is encrypted, unauthorized users are denied access, where they cannot edit, delete or view the information. With a digital signature, this ensures that the document was not changed in any way since it was signed originally. The signature will not be valid once the document has been improperly tampered with.

These are some of the ways that HIPAA IT security policies can be implemented. In order to make sure you meet compliance, contact Matthijssen, where we offer HIPAA Risk Analysis, assistance creating IT security policies and ongoing maintenance to ensure HIPAA compliance. Contact us with any questions you may have about HIPAA or Risk Assessment and one of our knowledgeable team members will gladly answer all your questions.