Skip to site content

Indian Health Service The Federal Health Program for American Indians and Alaska Natives

Share This Page:

Making Patient Records Secure Through Risk Analysis

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule 45 Code of Federal Regulations (CFR) 164.308(a)(1)(ii)(A) requires medical entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity.” Likewise, one of the MU core objectives requires medical entities to conduct or review a security risk analysis in accordance with the requirement under 45 CFR 164.308(a)(1), implement security updates as necessary, and correct identified security deficiencies as part of its risk management process. Simply stated, medical entities must perform a security review of their electronic health care system and correct any identified deficiencies. This review must be done on an annual basis and includes the electronic health record, internal network, external connections, and software and hardware that are interconnected. Any deficiencies or vulnerabilities must be prioritized and corrective plans created. Management must review and approve all corrective action plans.

Within IHS, the OIT Division of Information Security created two templates. The first one, called the Risk Analysis Template, should be used for internal D1 active directory sites. This template will walk the site’s risk analysis team through a series of checks and provide many of the enterprise-level tools and reports needed for completion. The second one, called the External Risk Analysis Template, should be used for any site not on the D1 active directory domain and can be found under the Stage 1, 2014-2015 Performance Measures (scroll to the bottom of the page). The External Risk Analysis will walk risk analysis team members through the same series of checks, but it does not provide site-specific tools and cannot provide specific practices. Tribal and urban sites that have adopted IHS enterprise policies should include those polices with any site-specific policies in use.

After completing the Risk Analysis Template, it becomes the Risk Analysis Report—a roadmap for mitigating any identified deficiencies or vulnerabilities.

The overarching goal is to ensure patients that IHS adheres to industry standards in protecting their information. Patients who feel their electronic health information is secure tend to provide a more complete history to the medical personnel treating them. Better histories allow staff to provide better patient care, which is our ultimate purpose.

Return to RPMS EHR Certification