How Small Physician Practices Can Assess HIPAA Security Risks

With the number of possible violations that can land you with fines or even criminal charges, following HIPAA regulations is critical to protecting your patients’ privacy and keeping your practice alive. Constant vigilance and routine security and privacy risk assessments are vital to staying compliant. 

But what if you are operating a small practice? Without the resources of a large hospital or health system, conducting proper security risk assessments (SRAs) can seem daunting.   

Fortunately, there are actions that organizations of any size can take to ensure that patient health information is kept secure. Read on for a helpful playbook for conducting a HIPAA security risk assessment for a small physician practice.  

Step One: Evaluate Your Current Data Storage, Devices, Communication, and Security  

The first step you need to take is to ensure you fully understand your current
setup and infrastructure. Then, take time to think about the following questions that are often part of a HIPAA security risk assessment:

  • PHI and Data Storage: How do you store patient records? Do you have physical paper files that you keep in a filing cabinet? Do you have digital patient records or a combination of physical and digital records? Do you have a cloud backup of all your data?
  • Devices: How many devices do you use for daily operations and storing data? Who manages those devices, and is there a way to track their usage? Is there a central physical location for storing them? Do patients and staff have access to them?
  • Security & Encryption: Are all your devices password-protected, and do they lock after a certain amount of idle time? Do you encrypt data and information as it is being sent, and do you encrypt stored data? Do you have anti-malware and anti-ransomware software on your devices? Do you have a private network that requires a password to which all your office devices can connect?
  • Office Communication and Email Security: What kind of email system does your office use? Do you have multi-factor authentication in place for email access? Are former employees completely offboarded and removed from email, messaging, and other in-office applications? Is your staff trained to spot suspicious emails and phishing attacks? 

This is not an exhaustive list, but it is a great starting point to evaluate what you will need to have in place as you begin your HIPAA security risk assessment and expand your understanding of potential risks and vulnerabilities. For a more comprehensive example of cybersecurity and HIPAA best practices, look over this checklist. 

Step Two: Review Your Processes 

After you analyze your current devices, network setup, data storage, and office communication, consider the processes you have in place that might put you at risk for HIPAA violations. 

 Firstly, think about how you enter and update patient data into the system. There should be safeguards built into your process of handling ePHI that every employee should follow, and of which every staff member, admin, and necessary third party should be aware and trained to understand. 

 Then, it’s time to evaluate your current process for routine security maintenance and monitoring. This might include consistent software security updates, periodic password changes, and a risk management plan in case of a cyberattack or breach.  

Step Three: Tighten Up Your Access

Who has access to what remains one of the most critical pieces of compliance you can control. A common HIPAA violation occurs when a staff member or third-party accesses a patient’s record without consent. Unauthorized access to patient data accounts for
19% of all breaches reported in the United States. This severe violation of patient privacy can lead to fines and lawsuits.  

To assess your risk for this type of violation, determine exactly who can access patient data, through what systems, and whether access to relevant devices is protected. Additionally, be aware of what information third parties can access and evaluate whether your offboarding process involves removing all access for former employees.   

Step Four: Lean on the Experts

Smaller medical practices don’t always have the IT infrastructure or financial resources that larger organizations have. So, it can help to hire cybersecurity consultants or HIPAA specialists instead of bringing on a full security team. 

Here is an example of how small practices achieved compliance with the help of IT consultants and HIPAA specialists. 

Case Study – RegEye’s Path to Compliance: A small ophthalmology practice that opened in the 1970s had dutifully served its community for decades. However, with the change in technology and new HIPAA regulations, RegEye needed a way to keep compliant and protect their patients.  

First, they started using an EHR (Electronic Health Record) system to reduce operating costs and streamline compliance. However, they needed consistent risk assessment and expert involvement to ensure that they were staying compliant. They did not have the technical expertise or the finances to bring on an entire IT team. So, they hired an IT consultant to help them. They hold regular mandatory meetings with their IT specialist, General Manager, and insurance company to discuss staff changes, policy updates, and HIPAA security matters.  


Need help getting on the path to HIPAA compliance? Our guided, step-by-step approach to HIPAA compliance makes this complex process manageable, saving you and your team valuable time and effort.
Get in touch with the experts at Intraprise Health to get started.