You’ve all heard about HIPAA’s mandatory risk assessment.  Maybe, likely you have heard a good deal of conflicting information.  Are you confused?  Seem overwhelming?  We totally understand.  This topic is constantly made more complicated than it has to be – by IT companies, on blogs, and even by some HIPAA companies.


PCS always tries to make things 100% compliant but in the simplest manner possible.  To do that, we have to understand the HIPAA aw letter by letter.  HIPAA clearly tells us one very important thing about risk assessments – they aren’t the same for large and small practices!  The original HIPAA language included the concepts of “flexibility and scalability”.  We can read from the law that HIPAA does not expect small healthcare practices to have the same complexity of compliance policy and operations as large entities.  it says that when a small practice creates its privacy and security standards, they are allowed to take the size, complexity financial resources and capabilities of the practice into account.  While we still must reasonable attempts to protect patient privacy, there are many things in HIPAA that have nothing to do with an optometry practice.  Generic one-size-does-NOT-fit-all programs designed for large clinics make the burden of compliance for small practices much harder than it has to be.

A big area of confusion – a risk assessment is all about your computer network.  While important, computer issues constitute less than a third of the components of a risk assessment. A complete risk assessment has administrative, physical and technical components.  Administrative standards have a lot to do with employees and planning for an unfortunate security incident.  Physical standards have a lot to do with your physical building – locks, alarms, what kinds of media devices you have, how you dispose of information containing patient information.  As you see, we haven’t said much of anything about computers yet.  The last issue is technical standards – finally something specifically related to your computers and computer network.  Although your computer issues are important, very important, they are only a portion of your individual security risk assessment.


The obvious answer is to get help from a compliance company that knows optometry and the needs of small businesses.  A good way to think about conducting a risk assessment goes something like this.  Walk out to your parking lot and start toward the practice – look at your lights on the building, locks, alarms, where are the medical records, are employees trained, level of auditory privacy based on how big your office is…all the things in the three areas of the security standards – yes, including computers.  Note anything and everything that could pose a risk to the privacy of your patient’s information.  THAT is a real risk assessment!

We can’t just point out things that could be a risk to privacy and not attempt to do something to eliminate those risks.  Sometimes we can eliminate them, sometimes we can mitigate them and sometimes we can’t do anything about them.  HIPAA tells us we must make, again – reasonable attempts to eliminate or mitigate those risks – in a documented fashion.  That is what we call our risk management plan.

Let’s emphasize again.  HIPAA compliance is hard enough.  it is a lot easier when you work with a company that understands the law and understands the profession of optometry.