Reopen with Renewed Focus on Protecting Patient Privacy

Brett Paepke, OD

RevolutionEHR Director of ECP Services

Have you ever gone to an appointment of your own as a patient and observed a number of things that made you uncomfortable? Perhaps when you checked in you didn’t like the idea of writing your name on a sign-in sheet that had the name of all patients in the office that day. Or maybe the front office team was freely and audibly discussing Mr. Jones’ case and you wondered if they’d talk about you like that after you left. Whatever the situation, you have certain expectations surrounding security of your personal information and you expect that health care teams will work to protect your privacy.

Your patients are no different. Your commitment to privacy and security is a commitment to not only your patients but also your practice. And a key part of a solid internal privacy and security program is the Security Risk Assessment.

What is Security Risk Assessment?
A Security Risk Assessment (SRA) is an analysis that involves identifying the risks in your practice, your technology and your processes to verify that controls are in place to safeguard against security threats.

How to Get Started
Our practice is a big proponent of “staging” the patient experience by stepping outside of the office and re-entering through the eyes of a patient. We ask ourselves “What do you see?”, “What do you hear””, even “What do you smell?” all in the interest of improving patient impressions. And it’s by looking through the lens of the patient that we’re truly able to appreciate areas for improvement. Importantly, it’s not a one-time exercise, either, because ensuring that we’re putting our best foot forward is a never-ending responsibility.

That same thinking and process can be applied to privacy and security within the walls of your practice. In fact, that’s at the core of the security risk assessment (SRA) process expected by HIPAA and quality reporting programs like MIPS and Promoting Interoperability. Your SRA process should evaluate the patient data in your practice, identify risks to the privacy and security of that data, and then organize those risks into a plan for mitigation. As an example, if you identified that a workstation in your dispensary was oriented in a way that allowed patients to see your EHR, that could be listed as a risk for mitigation and assigned a “due date” for resolution. Your due date for a specific risk could be based on scope of work required relative to the potential impact of not addressing it.

Importantly, the identification of risks is expected. If your SRA doesn’t identify anything that needs attention there’s a good chance you didn’t look hard enough. Said differently, the presence and identification of risks is not the problem. The lack of a plan and efforts to reduce those risks is. A well-documented SRA and mitigation plan can be the foundation of your internal security policies and practices and will serve you well in a 3rd party audit.

Action Plan

1. Commit to performing an SRA in 2020. There’s no escaping the fact that an SRA will require your attention and some time. Thus, embarking on the process outside of the typical whirlwind of practice can be a great approach. You can take it all on yourself or you can engage with an experienced 3rd party to guide you and be the voice of experience. If you choose the former, consider using a federally-produced tool to guide you. Thankfully, the Office of the National Coordinator for Health IT makes one such tool available at no cost. It can be downloaded to a tablet or laptop and will not only walk you through the risk exploration process, but also help prioritize the risks you find and produce a PDF of results.

2. Use SRA findings to create a mitigation plan. Set due dates for each risk to be addressed and stick to your plan. Document dates of completion. Should you need to change anything along the way, that’s OK. Just be sure to document rationale for changes.

3. Create office policies, where needed. Your SRA might identify that you, for example, don’t provide regular privacy and security training for your team. There’s no better time to formalize a policy for that than now!

RevolutionEHR is committed to staying on top of eye care industry updates on behalf of our customers. If you’re interested in partnering with us for EHR software and practice solutions, contact us at or 877-738-3471 x1 or explore our solutions on our website.


We love sharing tips and tricks from our experts. Get our latest articles straight to your inbox.