Security Risk Assessments: Critical regardless of practice size
In small- to-medium sized practices, there are necessarily fewer resources available for implementing the policies and procedures that will insure compliance with the Health Insurance Portability and Accountability Act (HIPAA). The U.S. Department of Health and Human Services (HHS) offers resources for smaller practices, where legal counsel is unlikely to be on staff, and security experts are more likely to be contracted than employed.
In 2014, the Office of the National Coordinator for Health IT (ONC) in collaboration with HHS’ Office for Civil Rights (OCR) released a downloadable security risk assessment (SRA) tool to help guide practices through the assessment process.
Jordan Cohen, JD, an attorney with Mintz, Levin, Cohn, Ferris, Glovsky, and Popeo in New York, New York, says the HHS tool is a good first step for smaller practices that want to conduct a risk assessment. He cautions, though, that the SRA is “only one tool, and the risk assessment is only one aspect of HIPAA compliance.”
The National Institute of Standards and Technology (NIST) also has a tool to help practices comply with the security rule portion of HIPAA, which Cohen recommends because it includes a risk assessment, as well as help with implementing the assessment and other requirements of the rule. There are also paid applications and consultants who can assist with the process. “Whether these tools are needed really depends on the size of the practice and the complexity of its systems,” he says.