One of the most rewarding things PMI does on a regular basis is to visit Pediatric practices around the country to help identify opportunities to improve their practice. This is the fourth of a 5-part series of emails detailing some of the most common things we recommend to our clients. HIPAA Risk Analysis / IT Security
Pediatric practices have a lot of data that people want for nefarious purposes. The value of such data is immense in the hands of certain people and they will do just about anything to get their hands on it. For Pediatric practices, it is extremely difficult to balance the need to protect your EMR data while providing the accessibility needed to correctly document your encounters and bill for the services rendered.
To encourage practices to ensure they are protecting their data, participation in certain programs (i.e. Meaningful Use) requires that your organization conduct a “Risk Analysis” to evaluate the strength of your computer security.
Some very smart people put together a list of items that should be reviewed and monitored on a periodic basis that you need to review to help identify opportunities to mitigate data breaches. Many practices simply filled out the paperwork and checked off the necessary boxes to meet the requirements instead of embracing the opportunity to ensure that adequate controls are in place to protect the data. We continually find that after practices completed their initial Risk Analysis, they left the paperwork to collect dust.
Many practices have failed to embrace the opportunity to continuously take measures to protect the information they were entrusted with from their patients. Practices should consider reviewing the previous Risk Analysis on a periodic basis to identify opportunities to mitigate their exposure. More importantly, practices need to heed the ongoing requirements (documenting when computers are thrown away) as well as making sure all computers are properly encrypted (which is free for all Windows computers).
The single most overlooked item is ensuring that all USB drives are disabled within the office. Someone with a wee bit of horse sense can readily walk off with enough patient data to sink a cruise liner through a variety of screen capture and raw data exports.
While we could continue with a litany of items that should be addressed, you need to ask yourself the following question: “Have I taken every reasonable precaution to protect the information entrusted to me by my patients?” If the answer is no, then you need to visit with your IT vendor and tidy some things up.