Our last newsletter went into some detail about risk assessments.  We discussed important terms and the nine steps of a risk assessment.  However, one of our readers asked for clarification about risk assessments and how they relate to EMR and IT contractors.  This is an important topic in and of itself.

I am sure there are many of you who have the same question.  Who is responsible for conducting your risk assessment, and how does it relate to your EMR and IT department?  The short answer is that it will depend upon the different contracts and agreements you have in place with your EMR vendor, IT provider, or other business associate.

Risk assessments touch many different areas of your practice.  There is an IT component that addresses the configuration and security of your computers, mobile devices, digital media, and your network.  Your EMR falls in this category, as it typically involves hardware and software that runs under your control.  Even if your EMR is web-based, you are still ultimately responsible for its security.

If your EMR vendor is also your IT provider, then your job is easy.  In this case, it should be their responsibility to make sure the hardware and software in your practice is setup and configured securely.  If you have an IT provider that is separate from your EMR vendor, you will need to carefully review your contracts to understand each party’s responsibilities.  The EMR vendor typically will only support their software, and it is up to your IT provider to support all of your hardware and other software.

However, you should keep in mind that a risk assessment addresses far more than just your computers and software.  The HIPAA Security Rule calls for administrative, physical, and technical safeguards.  Administrative safeguards involve things like policies, procedures, and training.  These are typically not the responsibility of your EMR vendor or your IT provider.  If you have a compliance officer or a HIPAA consultant, it is their job to make sure your policies, procedures, and training are managed appropriately.

Physical safeguards deal with things like door locks, security alarms, and sprinkler systems.  These are most often the responsibility of your facility manager, property owner, or land lord.  They work hand-in-hand with your administrative and technical safeguards to protect your data and keep you compliant.  You may have great policies and the best firewall on the market, but if your server room isn’t locked, you are not well protected.

A good risk assessment will touch on administrative, physical, and technical controls in your practice.  You will probably have to consult with your EMR vendor and your IT provider to complete an assessment, but you will also have to explore administrative and physical controls which are not their responsibility.  It is a good idea to hire a HIPAA consultant to review your policies, procedures, and physical controls.  Regardless of the agreements you have in place, the physician or practice owner is ultimately responsible for the risk assessment.

Ryan Ricks
Security Officer