Continual Risk assessments must be a part of life for Behavioral Health Organizations. Electronic Information Technologies evolve daily. Sure, you have a good security management process in place, but is it great? Taking the time to review The United States Department of Health and Human Services Summary of the Security Rule against your organization's practices over the last year is one step to obtaining greatness. When it comes to computer equipment, portable devices, network and servers, employee practices (written and verbal) as well as transportation and storage of data, annual risk assessments are not enough.
Risk analysis should not be just an annual event but a practice that occurs in every activity that involves PHI. Awareness is crucial. Staff from all levels of all departments should be invited to open discussions around your current practices. A collective one hour brainstorming session lead by your privacy officer is sure to see where the loop holes are or minimally, some areas of concern. Upper management may not be aware of potential pockets that could open the organization to a breach. Giving the staff that use PHI an opportunity to voice their concerns will guide your Privacy Team to the openings that need closed quickly.
Published in April 2015, the US Department of Health and Human Services's Office of the Coordinator for Information Technology published a pdf called Guide to Privacy and security of Electronic Health Information. It is a useful set of guidelines covering the general aspects of the rule that you can use when improving your Security Management Process from good to great.
Proactively reviewing your security management process will assist in keeping the protected health information of your clients safe and secure.