Inventory of Paper Records
A privacy risk assessment first includes an inventory of paper records, the safeguards used, and the risks. It answers the following questions –
- what records are there?
- where are they?
- how many of them are there?
- How many individuals are represented on the records?
- How are these secured?
- How are they protected from fire, flood, and other disaster?
Review of Processes
The second step is to review key processes that could either prevent or create a privacy breach:
- Release of Information (ROI), including routine releases as well as responses to subpoenas and court orders. How many ROI requests are processed and what is the accuracy/error rate (as measured by a 3rd party review)?
- Phone conversations, mailings, and faxes involving PHI. Approximately how many of these occur each month, what procedures/safeguards are in place, and what percentage are done improperly?
- Transportation of paper records. How often are records transported, and what percentage might be lost, stolen, and/or inappropriately accessed?
- Conversations with family and friends of individuals served. How many of these conversations occur, and what procedures/trainings are in place to ensure staff handle disclosures properly?
- Office layout and safeguards to keep conversations private. How are offices arranged, what technologies (e.g. soundmasking) are in place, and what is the traffic flow in the office?
- Demonstrated knowledge of staff. How often are staff trained, what is the commitment of management and supervisors, and what is the demonstrated knowledge of staff regarding procedures and safeguards?
Paper records are subject to loss, theft, damage, and/or inappropriate access. The risk assessment will explore the impact (in dollars) of these paper records.
People and systems aren’t perfect. The risk assessment will first quantify various activities (for example, how many ROIs are performed each month) and calculate an impact based on a potential error/violation rate. This rate can be estimated based on a random sample of completed ROIs evaluated in third party audit.
The Privacy Risk Assessment will quantify the likelihood that various negative outcomes will occur, the impact if they do occur, and the priority of any corrective action. Management can use these results to take corrective action. From experience performing these assessments, likely findings include:
- A higher than expected error rate with the Release of Information process is likely, creating liability for the agency, which can be corrected with improved training and management review
- Paper records are often not kept as securely as management thinks, with improvements possible
- Adjustments to the physical office can improve oral privacy
- Staff knowledge is less than expected and could be improved with expanded and/or improved training
Following this outline, an agency can prepare a risk assessment internally, identify risks and corrective action, and then act to enhance procedures to protect both the individuals served and the agency. For boards who lack either the time or the necessary expertise, Eagle Consulting Partners can assist.