• Designate a security officer to manage the compliance process.
• Perform an annual risk analysis, via the risk tool, to provide an in-depth view of the practice’s Protected Health Information — “PHI” — and how to maintain the confidentiality, availability and integrity of that information.
• Create and execute a Risk Mitigation plan that provide solutions that balance the impact of the risk with the practice’s ability to implement “reasonable & appropriate” solutions.
• Create and adhere to a series of Policy & Procedures that outline good security behaviors and specify the sanctions for what happens if they are not followed.
• Train staff on the practice’s unique Policies & Procedures annually. A generic “HIPAA” course will not fulfill this need.
• Document all security behaviors including the annual risk analysis and Policy & Procedure updates, along with other activities such as changing passwords, auditing devices, and reviewing access logs.
• Continually monitor for and integrate newly found risks or changes into the formal process.

A Risk Analysis is the cornerstone of your security behaviors, which evaluates and mitigates your risks and is a necessity for HIPAA compliance.

According to the Department of Health and Human Services: “The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes.”

The main function of the Risk analysis is to evaluate your risks and what impact they would have, and then implement a plan to mitigate those risks.  The process includes defining the behaviors needed to ensure you adhere to the plan, documenting security behaviors, and continue this process for continued security. For group practices, who have a larger “surface area” of security risk, this process will be vital to your organization. Let’s look at a few key details of what is involved in this process.

What do you do in a Risk Analysis?

A risk analysis is a formal process that is, in part, performed with a Risk Analysis tool that walks you through each of the HIPAA Security standards.  It helps you identify your risks, what kind of impact the risk would have if realized, and then requires a reasonable and appropriate plan to minimize your risks.

You will perform an in-depth look at your Protected Health Information (PHI) and how to maintain the confidentiality, availability, and integrity of that information.  You must look at your resources through an administrative, technological, and physical security lens.

For example: your analysis will include looking at if hackers could access your email or your WIFI network; What if your cell phone with PHI was lost?; What if your practice lost power?  While the chance of one of these happening might be likely (depending on your circumstances), and it would highly impact the practice, most of these scenarios are easy to mitigate.

What is reasonable & appropriate?

HIPAA standards were designed to oversee ALL covered entities ranging from a solo counselor in private practice to a multi-state network hospitals. So when we implement our risk mitigation plan, it will be custom to our needs and geared to our ability to solve the problem at hand with the resources that are within our means.

Every group practice is a unique entity with its own business model, tech setup, and resource allocation. As a result, risk vulnerabilities will be particular to each unique practice and will require custom mitigation solutions in order to ensure efficacy and feasibility.

How often do you do a Risk Analysis?

According to the Department of Health and Human Services: “Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.”

Performing the initial risk analysis process is only one piece of this puzzle; risk analysis actually includes security behaviors that need to be a continual process within the practice.  You conduct a formal risk analysis every year, but you implement, update, document, and engage with its results 24/7.

What does the Risk Process look like?

1) Analysis via the Risk Tool

2) Making your mitigation plan

3) Executing your mitigation plan over a designated timeline

4) Writing out needed security behaviors (think Policies & Procedures)

5) Performing those behaviors and documenting them as needed

6) Integrating any practice changes into this formal process

What are Policy & Procedures?

When you create a risk mitigation plan you will find that you have to define certain security behaviors. This is done in the form of Policies & Procedures. Simply put, these will be a set of comprehensive governing documents that will detail necessary behaviors.

Policies & Procedures will define many aspects of practice life for your workforce, including: how electronic devices are used, usage of secure passwords, what types of WIFI networks they can access, what information they have access to, and what happens when these Policies & Procedures are not followed.

Policies & Procedures will also set the foundation of management activity: such as determining training needs, auditing security logs, sending out security reminders, reviewing potential breaches, physical building security, and much more.

To elaborate one of the prior example circumstances about the threat of unsecure WIFI: you may find that your clinicians will use their personal devices that handle PHI when they are out of the office and will access external WIFI networks. So, you will want to create a P&P to make sure they have a clear understanding of what makes a network secure and unsecure and explicitly state when WIFI cannot be used — e.g. any public WIFI such as a coffee shop, airport, or hotel. Solutions can be really easy when you know what the problem is.

How do you document?

The format is up to you, but you will need to make sure you document your security activities.  If you don’t document when you review access logs, perform a training, or audit a device — then it wasn’t done according to HIPAA. You will also need to keep a record of each annual risk analysis and the Policy & Procedure updates.

Something changed! What now?

Most changes, but not all, can be handled with a “mini risk analysis.” It’s a simplified version of the full risk analysis process which will review the change and all of the areas that are also impacted by the change.  When you encounter a level of large complexity with multiple areas of potential risk impact, then you will need to evaluate if it is necessary to repeat the formal risk analysis process.

The key is to make sure that as new threats are revealed or changes happen — as they will — that they are approached in a methodical manner and integrated into your current system of security.

Who does the Risk Analysis?

The HIPAA Security rule requires that you designate a Security Officer who is the party responsible for all security activity.  They will be point in performing the annual risk analysis, setting up the P&P, facilitating implementation of the risk mitigation plan, ensuring ongoing compliance activity, and documenting everything.

PCT & the Risk Process.

The Risk Analysis is a very engaging process that can be time consumptive, and can cover a lot of material where the Security Officer may not be the expert.  As the security, risk, and ethics experts in the mental health field, PCT will work as your “co-pilot” through the entire process — offering as much support as needed, significant time savings, and custom solutions.

• Our tool is uniquely designed for non-techy, mental health providers.  Rather than just a list of risks, we provide a narrative description of risk circumstances to help engage and drive home concepts we are familiar with.
• Our vast experience with tech setup will help create solutions that are “reasonable & appropriate” for your specific needs.
• You are supported through the entire risk process.  Our consulting can be simply guiding the Security Officer on using the tool or directly facilitating and performing the process with the Security Officer.
• We provide Policy & Procedure templates and will help customize them based upon the results of the Risk Tool.  (Trust us when we say you do not want to write these from scratch!)
• Blank Forms & Logs for you to document your security behaviors. “Documentation or it wasn’t done”!

Additional Needs of the Security Rule & Risk Analysis.

• Creating a contingency plan for when emergency strikes.
• Having a process for assessing and handling breaches.
• Customized training for your staff based on your unique Policy & Procedures.
• Solid documentation of all your behaviors held for at least 6 years.

The Security Officer is a designated position within a practice that leads your security activity and is a necessity for HIPAA compliance.

The HIPAA Security Rule includes this requirement: “Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.”

For group practices, who have a larger “surface area” of security risk, this position will be vital to your organization. Let’s look at a few key details of who can be the security officer, what actions they will perform, and what they will need to do to fulfil the duties of this position.

Who can be the Security Officer?

In a group practice you have many options for who can be a Security Officer. While it can be the owner of a group practice, it does not mean you have to be nor necessarily should be.  Here are the considerations when designating your Security Officer — or SO.

• The person in this position should have a general comfort with tech, but they do not need to have a tech background. PCT will back them up with the technical expertise they need.
• They should have a level of empowerment from the owner necessary to enforce security measures.
• They have to be part of the practice. This position should not be contracted out; they need to be able to have an ongoing presence and authority within the practice.
• They need time designated to perform the needed activity.  Initially the risk process can be time consuming, so this person would need to have allocatable time (which is why the owners might not be the best fit for large practices!)

People who we tend to see in this position: practice managers, family who provide formal support to the practice, lead admin staff, or tech savvy clinicians.  One of the first steps when working with PCT is that we will help evaluate who should be the Security Officer.

What does the Security Officer do?

The SO has many responsibilities and duties both in implementing and continuing to maintain your compliance and risk mitigation needs.

Some of the duties of the SO include, but are not limited to, performing your risk analysis, developing the security plan, monitoring the plan, enforcing the plan, training the staff, and documenting everything! PCT will back them up the whole way through.

Implementing: perform the risk analysis, develop the risk mitigation plan, write the Policy & Procedure documents that will enforce the plan, and write the sanctions for violations of P&P.

Onboarding: train the staff, document security behavior, set a yearly calendar of security needs, and make any changes that are required in the mitigation plan.

Maintenance: onboard new clinicians, perform routine security risk checks and audits (ie. reviewing access logs, sending the monthly security reminders, and audit devices), perform “mini-risk analysis” when natural changes happen, and perform any breach-related activity.

PCT and your Security Officer?

The SO is a very large role with a lot of responsibility, and it may include topics where they are not the expert.  As the security, risk, and ethics experts in the mental health field, PCT will work as your “co-pilot” through the entire process offering as much support as needed, significant time savings, and custom solutions.

• Use our expertise to perform a thorough and accurate risk analysis and provide the best solutions for your risk mitigation plan.
• Provide the custom staff trainings and CE offerings, monitor staff training completion and provide polite reminders if needed.
• Facilitate the onboarding process and upcoming changes to help manage staff expectation and solidify authority to the SO.
• Provide Policy & Procedures templates and guidance through the customization. (Trust us when we say you do not want to write these from scratch!)
• Provide a bank of resources to help all levels of tech comfort.

What will the Security Officer need?

• Information on your technology set up (think WIFI, network, devices) or the contact info for the people who set up your tech systems.
• Ability to contact contractors or work associates, such as billers, when integration questions arise.
• Need to be assigned administrator levels of access to important systems, like EHR systems, so they can set security measures.
• If not the owner, a level of empowerment to make decisions, enforce regulations, and be an integral part of the chain of command.