Tip: Use security measures that fit the scope of your practice. As data incidents continue to multiply, the HHS Office for Civil Rights (OCR) has stepped up its HIPAA enforcement. With million dollar settlements becoming more prevalent, it’s critical that you meet the risk analysis demands outlined in the HIPAA Security Rule. Because, if you find yourself on the wrong side of a breach, the first thing the feds will ask for is how you’ve managed your risks. Privacy Rule Isn’t the Problem Practitioners and administrative staff find it much easier to wrap their heads around the HIPAA Privacy Rule, suggests Adam Kehler, CISSP, principal consultant and healthcare practice lead with Online Business Systems. The rise of health IT, however, puts the security of electronic protected health information (ePHI) at the forefront of compliance and securing that data is much more complicated. “Consider an analogy to cooking: Suppose a recipe says ‘Add as much milk to your recipe as is reasonable and appropriate.’ This may make sense for someone who is an experienced chef, but to the person at home just trying to follow a recipe, they have no idea how to determine ‘reasonable and appropriate,’” Kehler explains. “It’s the same thing with calculating risk.” He continues, “The HIPAA Security Rule requires that organizations implement ‘reasonable and appropriate’ security controls based on their assessment of risk. Most professionals who studied medicine or health administration are not in a position to make these decisions.” Add These Requirements to Your Risk Analysis Not only is assessing your practice risks smart business, but it’s an administrative safeguard provision under the HIPAA Security Rule. “The Security Management Process standard in the Security Rule requires organizations to ‘implement policies and procedures to prevent, detect, contain, and correct security violations (45 C.F.R. § 164.308(a)(1)’” OCR guidance reminds. Definition: “Risk can be understood as a function of 1) the likelihood of a given threat triggering or exploiting a particular vulnerability, and 2) the resulting impact on the organization,” notes the National Institute of Standards and Technology (NIST) Guide for Conducting Risk Assessments. “This means that risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.” Consider these basics as you pinpoint your practice’s HIPAA shortcomings: Tip: “By assessing the risk to the organization based on system criticality, threat levels, and business impact, organizations can prioritize their security spending for the greatest benefit,” advises Kehler. Resource: See more federal guidance on assessing risk at https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final.