You are the IT and Security Manager for a small five-physician medical practice that uses electronic medical records (EMR) but has never performed a HIPAA security risk assessment. You need to prepare for the upcoming HIPAA Audit, and the healthIT.gov site recommends performing a security risk assessment using their Security Risk Assessment (SRA) tool (downloadable or paper).
Based on the scenario above, review the questions in the Administrative Safeguards portion of the tool. This private practice has many written policies, but the policies are often not updated, and training new personnel on HIPAA requirements is a bit haphazard and poorly coordinated. The practice does not have a formally appointed security contact, although the office general manager is the one that most people go to. The one-person IT professional tries to protect the patient’s information and access to that information as best that is possible, but people that leave the organization are often not immediately removed from having that access. Physical access to the building does require a key card access, but the building entrance is not monitored by cameras or the need to sign in. The company has not formally documented and mapped relevant business associates and has not secured business associate agreements related to patient information security. Although the receptionist area has a high counter, and patients typically cannot see the receptionist’s computer screen, patients can hear the phone conversations in the receptionist area. Access to the medical records is password protected but not encrypted, and not all computer screens have automatic locks when the screens are idle.
Identify at least 10 Administrative Safeguard questions from the tool that are particularly relevant to this organization. Identify each by number and the specific wording of the question.
Discuss at least five identified threats or vulnerabilities and discuss the likelihood and overall impact of each of these vulnerabilities in a table like the one below for each threat/vulnerability (you should have five tables).
Likelihood
Impact
Low
Medium
High
Low
Low Risk
Low Risk
Low Risk
Medium
Low Risk
Medium Risk
Medium Risk
High
Low Risk
Medium Risk
High Risk
For each threat/vulnerability, describe one or more safeguards that could be implemented against the threat/vulnerability. Suggested safeguards can be found in the SRA tool.
Write a summary that discusses what you learned by participating in this exercise. Discuss how difficult and costly completing this assessment might be for the small medical practice described in this case. Recommend possible solutions to make this assessment process possible for this small practice.