Conduct Your Own Risk Analysis for HIPAA/HITECH Compliance
Deb Legge, PhD CRC LMHC
Analyzing risk on an ongoing basis is one of the things we clinical mental health counselors need to do to make sure we are doing the best job to protect our clients’ protected health information. Doing an audit of your practice can help you identify areas of risk and create the best plan of action.
Take a look at your practice. Consider each step of the process, from the potential client’s first inquiry, to destroying out-of-date files long after discharge.
Here are some questions to get you started.
- If you are using a laptop or cell phone: What happens to your data if your device is lost or stolen? Be aware of the ways to “wipe” your data from those devices when necessary.
- If clients are contacting you by email: Is your email secure? Even if your email is secure, but your client’s is not, the exchange will not be HIPAA-compliant.
- Are you keeping all of your email exchanges?: Your client has a right to demand copies.
- If you are using an email program to store your clients’ contact information, or you send email to communicate (even just for appointments) with clients: Realize that your email may be hacked. And if spam email is generated from your email account, there
- is a good chance that your entire contact list will show up in the CC line of the email. That means everyone who gets that spam email, which will appear to be from you, will be able to see the email addresses of all of your contacts! (And as you know from the emails you get from people you know whose email accounts have been hacked, the content is likely to be bizarre.) One way to keep email secure and available is to use a client “portal,” which is a HIPAA-secure email client that is now available with many practice-management billing programs (such as TheraBill).
- If you have an assistant, billing person, or other support staff who have access to your clients’ personal health information (PHI): Do you have HIPAA business agreements with each of these entities that holds them to your standards for protecting your clients’ PHI?
- If your clients’ information is kept in your computer: What level of security exists (and how many levels) before anyone can access that information? The same question applies for keeping paper files in filing cabinets as well
- If you share an office with other clinicians: Do you share file space or do you have your own filing cabinet? Can you lock your file cabinets? If so, do you keep the key in a secure place?
Walk yourself through the processes you put in place to run your practice. Identify all areas of potential risk and note the measures that you are taking to ensure the highest level of security possible.
Then be sure to make this analysis part of your HIPAA policies and procedures (yes, you should have those as well).
These safeguards don’t have to be complicated; just keep a record of your efforts in the event you are ever audited. You just have to show that you are doing your very best to provide privacy and security for your clients’ PHI.