There are 5 steps in providing you guidance when it comes to a Privacy Risk Assessment.
Step 1:Â You must define the flow of PHI within your practice. Identify the first entry of PHI, what happens to the PHI as it flows throughout your practice, and identify how and when the PHI is transferred to ensure it is adhering to the policies in place.
Step 2:Â You must identify any flaws within your flow of PHI and ePHI and recognize any possible threats that may occur. Identify flaws within your PHI flow, potential threats for an information breach by a person or software, and identify the risks that could potentially impact your practice.
Step 3:Â Analyze your HIPAA compliance risk level and the potential impact it would have on your practice and then define the likelihood of the risk associated. Determine the impact and assign each threat a high, medium, or low-risk level.
Step 4:Â Implement security measures based on your risk assessment, document and understand your practice risks, identify the security measures to resolve the risk, and implement those measures within 30 days of identifying the risk.
Step 5:Â Repeat Step 4 for all identified risks, to ensure everything is addressed, documented, and resolved within the practice. Repeat this assessment as often as desired, but at minimum, on an annual basis to ensure that your practice and your employees are staying HIPAA compliant.