Risk Assessments In Healthcare – Avoid Data Breaches


Risk assessments aren’t just a HIPAA requirement.  They are essential processes for ensuring the secure and proper operation of the business.

Maintaining the security and integrity of Patient Health Information (PHI) and electronic PHI (ePHI) is one of a healthcare practice’s key roles. Risk assessments help you achieve this.

Nobody wants to be the next target of a major health data breach. A good place to start assessing the security ofPHI is to run an analysis on every location PHI is stored.

It can be on databases, mobile devices such as phones and tablets and cloud storage. It’s also important not just to look at where the data is stored, but where it gets transferred to as well.

How is that data secured in those locations?  Are all of the devices encrypted to an acceptable level?  Password protected? How many employees have access and who are they?

Performing the required risk assessment and regular risk analysis will help healthcare organizations of all sizes  safeguard this valuable information.

HIPAA Violation Assessments

Risk analysis is part of the administrative safeguard requirement under HIPAA regulations.  It’s the responsibility of all covered entities to

  • Assess the likelihood of potential risks to e-PHI
  • Assess the impact of potential risks to e-PHI
  • Implement security measures to adequately address the potential risks.
  • Clearly document the security measures.
  • Document the reason for adopting those measures, where appropriate.

The HHS website states that there must be “Risk analysis conducted on an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.”

There are four factors that HHS use to determine the likelihood PHI was improperly used or disclosed in a potential breach. Understanding these criteria will help organizations better review the possible risk areas.

•  What is the nature of the information involved?
•  Who is the authorized person responsible?
•  Was PHI actually acquired or viewed?
•  To what extent has the risk to PHI been mitigated?

There are tools available to assist in the risk assessment process. While these tools aren’t required under HIPAA regulations, they’re useful for creating a structure around the process and helping to identify spots you might otherwise miss.

Common Mistakes of Risk Assessments

Perhaps the biggest mistake healthcare organizations make when it comes to their risk assessment responsibilities is not updating their risk assessment process over time.

The risk management process itself must be regularly reviewed and updated. New tools and technology are constantly being developed; places for e-PHI to be stored and transferred are appearing all the time. If these aren’t taken into consideration, the risk assessment is going to leave enormous holes in security.

Telemedicine is a growing industry which involves a lot of new hardware, software, and communication channels. If a provider integrates a telemedicine service, this could present a number of areas where ePHI is being created, stored and transferred.

If this new ecosystem isn’t on your risk assessment process, your risk assessment process is useless. There’s no point in regularly running the process if it’s got major holes in it.

This oversight has led to some hefty fines over the years. In December 2015, the University of Washington Medicine (UWM) paid a $750,000 fine due to a breach from a 2013 “incident.”

It was found that UWM “did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.”

Only focusing on one system lead to breaches in other affiliate systems, which came back to bite UWM.

Similarly, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) paid a $650,000 fine in 2016. In this situation, the healthcare provider was just a business associate.

OCR found that from the HIPAA Security Rule compliance date to the present, CHCS had not conducted “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by CHCS.”

Using Your Assessments to Improve Security

Risk assessment must review physical, technical and administrative safeguards. Changes must be made when potential risks are discovered to adequately cover these vulnerabilities.

Physical safeguards can include things like improved workstation and mobile device security. Nurse stations or other computers with valuable data might be easily visible to people in the facility for example.

Potential solutions to minimize risk include timed log-off or screen shutdown, or even relocating the stations to a more secure location.

Technical safeguards can include things like ensuring access controls can be precisely set. That means granting access to one worker for one department does not necessarily grant them access to all departments.

An employee in billing, for example, doesn’t need to see a patients’ medical records.

Their security access should not grant them permission to view these files. The idea is that each employee is only granted access to the minimum necessary to perform their job.

Administrative safeguards include things like better workforce training or management. Proper training for access and handling of PHI is a major oversight of many security plans.

It’s also important to check all technology that data passes through. Today, that includes many things which are easy to forget or neglect.

Copy and print machines, for example, can now store and access data for printing purposes. They need to be included in both your processes and security protocol.

It’s essential to conduct a risk assessment annually.  You should perform one every time a new EHR is adopted.


We can help you with peace of mind with a simple annual audit of your website that will provide you a comprehensive report outlining the issues and recommended fixes for your web development team to ensure that you are doing everything to protect the data and maintain compliance.

We provide a deep dive review for one low price.

Take the first step in protecting your organization and data!

Call us!  (682) 593-3430
Or Email us!  webvap@krohn.media

For more information visit:   https://krohn.media/webvap

a division of Krohn Media LLC in partnership with All Right Medical Services


Healthcare Digital Marketing That Will Deliver the Patients You Want|Krohn Media


Our Healthcare Digital Marketing Agency Will Deliver the Patients You Want.

Let us help you win the online battle for patients:


Today, it’s not whether you have a digital presence for your healthcare organization. It’s how strong a presence you have. To win online, you need a comprehensive strategy that includes a marketing-driven responsive website, search advertising, display advertising, blogs, search engine optimization, social media, and more.

All online strategies must work together synergistically to drive response. We built our own company with digital marketing, and it happens to be our favorite area of expertise.

Let our healthcare digital marketing agency help you, as well.


Check out our website:  KROHN MEDIA

Schedule Your Strategy Call Now

Specialty Drugs and the Role of Managed Care Pharmacy


Healthcare providers and pharmacy benefit managers of today are keenly aware of specialty drugs.  Managed care pharmacy plays a vital role today in medication administration and adherence.  They are one way of managing chronic health conditions such as cancer, hemophilia, arthritis, HIV and others.

Optimizing pharmaceutical outcomes has become one of the fundamental issues for MCOs.  Managed care pharmacy now plays a significant role in specialty medications. Therapies are most commonly injectable or IV products though some are formulated as oral medications.

Many specialty drugs are genetically engineered proteins derived from human genes, thus the term “bioIogics.”

Specialty drugs, according to Medicare, require uniquely appropriate handling and administration. The availability of specialty drugs is often limited and is generally supplied through selected distribution networks.  This results in specialty drugs carrying a significant higher cost than that of non-specialty drugs.

The National Comprehensive Cancer Network made clear the responsibilities of specialty pharmacies. Specialty drugs are to be tracked according to policy standards. Patients stay in direct contact with health care providers to ensure that they keep well informed and follow proper protocol.

What Is Managed Care Pharmacy?

This health care management practice can be traced back in the 1930s.  It is an organized health care delivery system specifically assigned to enhance the availability of health care. It’s also designed to extend excellent and comprehensive pharmaceutical care to a group of patients. It ensures overall improvement of healthcare and health conditions.

A managed care pharmacy coordinates directly with other health care providers to determine the most effective pharmaceutical treatment for patients.  It focuses on the practice of administration. A managed care pharmacist identifies a specialty drug as either a medical or pharmacy benefit. He closely monitors the patient’s progress and consistently follows up on their condition.  They also play an extremely important role in prior authorizations and tracking.


An important responsibility of the managed care pharmacy is to keep track of and account for the distribution of specialty drugs. This market makes up just 1% of the total patient population.  Another role would be to monitor the patient’s compliance in administering specialty drugs. Ideally, this occurs in conjunction and coordination with the entire healthcare network and providers.

The Role of Managed Care Pharmacies in Specialty Drugs

As stated, specialty drugs are very expensive which creates the need and role of managed care pharmacy. Specialty pharmaceuticals will have a notable impact on pharmacy practice over the next decade and beyond. Efficient and effective medication management is now one of the top priorities of managed care pharmacy. The goal is to ensure the proper utilization of these high cost drugs.

Specialty drugs have unique modes of distribution and dispensing requirements compared to more traditional drugs. They require proper handling and storage and also monitoring of each patient. Distribution must follow the most appropriate channels for the very fact that they are specialty drugs.

The optimum role of managed care pharmacy is superior distribution of specialty drugs in the most cost effective manner.

Quality Healthcare Services

Delivering quality health care services should be the guiding principle of all health care contractors. Managed care pharmacies are best staffed with health care practitioners who offer the best assistance and advise possible. Managed care pharmacy ensures that patients receive the safest and most appropriate medication in a cost-effective fashion.

New medications to include specialty drugs are closely monitored for safety and effectiveness by managed care pharmacy professionals. Those professionals are composed of pharmacists, nurses, and physicians. They ensure that patients have full access to effective pharmaceuticals and are receiving the most appropriate therapies.

Relationship With Patients

When managed care pharmacy establishes good relationships with patients, essential medical care is established, This creates a positive impact on the patient’s life and thus benefits the entire community.

Pharmacists in a managed care pharmacy are acutely involved with diverse clinical services and a multitude of health care responsibilities. They would include proper distribution of medications, closely monitoring patient’s progress, therapy compliance and disease management.  These needs are crucial, and demand that managed care pharmacy strives to offer cost-effective pharmaceutical care.

Managed care pharmacy isn’t necessarily always driven by financial strategy through new insurance products.  The goal is to achieve patient satisfaction by offering support on comprehensive therapies and pharmaceutical services.


Contact Steve at (682) 593-3430 or email steven.krohn@att.net