Episode 338: Why Risk Analysis Is A Fundamental Requirement (Highlights From The OCR)

Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In this episode, we’re sharing why risk analysis is essential for mental health providers, inspired by a recent webinar from the Office of Civil Rights (OCR). 

We discuss the core mandate of the HIPAA Security Rule; how risk analysis is essential to safeguarding PHI; conceptualizing the lifecycle of PHI in your practice; how often to do a risk analysis; written policy vs. implemented policy; security measures degrading over time; and HIPAA as a useful tool for client care.

PCT Resources

• PCT’s HIPAA Risk Analysis & Risk Mitigation Planning  service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You’ll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.

• PCT’s Group Practice PCT Way HIPAA Compliance Manual & Materials  — comprehensive HIPAA Security Policies & Procedures for the practice as HIPAA covered entity *and/or* Business Associate/MSO. Comprehensively covers the HIPAA P&Ps for contractor clinician structure group practices, employee structure group practices, and practices that are hybrid.   

  Policies & Procedures include:

  • Customizable templates that address each of the HIPAA Security Rule Standards. Ready for plug-and-play real practice application.

  • Computing Devices and Electronic Media Technical Security Policy

  • Bring Your Own Device (BYOD) Policy

  • Communications Security Policy

  • Information Systems Secure Use Policy

  • Risk Management Policy

  • Contingency Planning Policy

  • Device and Document Transport and Storage Policy

  • Device and Document Disposal Policy

  • Security Training and Awareness Policy

  • Passwords and Other Digital Authentication Policy

  • Software and Hardware Selection Policy

  • Security Incident Response and Breach Notification Policy

  • Security Onboarding and Exit Policy

  • Sanction Policy Policy

  • Release of Information Security Policy

  • Remote Access Policy

  • Data Backup Policy

  • Facility/Office Access and Physical Security Policy

  • Facility Network Security Policy

  • Computing Device Acceptable Use Policy

  • Business Associate Policy

  • Access Log Review Policy

  Forms & Logs include:

  • Workforce Security Policies Agreement

  • Security Incident Report

  • PHI Access Determination

  • Password Policy Compliance

  • BYOD Registration & Termination

  • Data Backup & Confirmation

  • Access Log Review

  • Key & Access Code Issue and Loss

  • Third-Party Service Vendors

  • Building Security Plan

  • Security Schedule

  • Equipment Security Check

  • Computing System Access Granting & Revocation

  • Training Completion

  • Mini Risk Analysis

  • Security Incident Response

  • Security Reminder

  • Practice Equipment Catalog

  Plus:

  • Workforce Security Manual & Leadership Security Manual — the role-based practical application oriented distillation of the formal Policies & Procedures (includes the prohibitions on non-HIPAA-acceptable personal services + defines what personal services *are* allowable.)

  • 2 complimentary seats of the Security Officer Endorsement Training Program (1 for Security Officer; 1 for Deputy (or future Deputy) Security Officer.

  PCT’s free “mini risk” tool, for needs identification related to what’s within and what’s outside your practice’s Security Circle (including personal device use)

• Group Practice Care Premium  for weekly (live & recorded) direct support & consultation service with PCT consulting team + monthly session co-facilitated by Eric Ström, JD PhD LMHC
• + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing documenting personal & practice-provided devices(for *all* team members at no per-person cost) + more
• + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing documenting Remote Workspaces (for *all* team members at no per-person cost)