Q&A: Adding new technology to the risk analysis

Q: Since our last risk analysis, we’ve added a patient portal. Do we need to include the patient portal in our risk analysis?

A: Yes, because it represents a potential threat to your patient’s protected health information (PHI). When you make any significant change to your IT infrastructure or make any major changes to your business or clinical practices, it’s recommended that you assess the risk before the change and after the change. If a risk analysis was conducted within a year of that change, there isn’t a reason to completely redo the risk analysis, though. A full risk analysis should be conducted annually, especially if you’re receiving Meaningful Use(MU) dollars. 

When systems change, like adding a patient portal, it’s a good idea to assess what those changes mean as it relates to risk and mitigate identified risks before making the change. After the change is made, check to make sure the risks you identified and addressed were actually mitigated and that no new risks arise that could threaten your patient’s PHI. This should be included as a process in your risk management program. A risk management program is sound security practice and is a HIPAA and MU requirement.

Editor’s note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your questions to Editor Nicole Votta at nvotta@hcpro.com.