... Reduces health care fraud and abuse; Mandates industry-wide standards for health care information on electronic billing and other processes; HIPPA
Recently, we received a question from a physician's office - "I already had a consultant come in last year and do a HIPAA risk assessment. I am now compliant. Why do I need to schedule another HIPAA risk assessment this year?" A HIPAA Risk Assessment is not just a mandatory compliance requirement, it is something that is needed to be done to keep your patient data safe and secure on an ongoing basis, and to identify potential issues. Things change, things happen, and you need to monitor your security on an ongoing basis. If you suffer a breach, then the agency that might conduct an audit is likely to ask for your most recent HIPAA Risk Analysis or Risk Assessment. If it is too far in the past, then you might be considered negligent. If you participate in the MACRA/MIPS incentive program, then you need to attest annually with the Center of Medicaid and Medicare Services (CMS) that you have conducted the annual HIPAA Security Risk Analysis. These are some reasons why a HIPAA Risk Assessment is not a one-time practice. Risk Assessments should be reviewed annually at a minimum and as new work methods are executed or updated technology is introduced.
Top 5 actions you can take to prepare for your next HIPAA Compliance review or risk assessment:
Identify where your PHI is stored:
On your Computer?
In your office?
Within your network storage?
On the cloud?
How to Safeguard your PHI?
What are compensating controls?
Compensating controls or alternative controls are put in place to satisfy the requirement for a security measure that is impractical to implement at the present time.
Examples of compensating controls:
When a medical office has paper charts that are filed on open shelves in a storage room or behind the reception desk, it is recommended to lock the charts at the end of the day. Many times it is not practical to put locks on all open shelves that are used to file charts. A compensating security measure can be used to install cameras surrounding the premises to monitor and record all activities. It is important that you also have a process in place to monitor the video recordings periodically.
If an Ultrasound Technician uses CDs, Tapes and Disks to store images or uses a USB hard drive to transfer the images to PCs and the EHR, then these devices have to be encrypted. Many times, the Technician is not sure if the Thumb drives are encrypted. A compensating control here would be to lock the CDs and flash drives in a cabinet when not in use.
The Health Insurance Portability and Accountability Act (HIPAA) is primarily concerned with the Privacy and Security of Patients' Protected Health Information. All entities that come into contact with Protected Health Information on a regular basis are covered under the Act. Has it been more than one year since your last HIPAA Risk Assessment? Or have you never had a HIPAA Risk Assessment done before? Either way, be sure to schedule your 2018 HIPAA Risk Assessment and 2018 HIPAA Training right away - don't wait until its too late.
PCS World Network has been providing IT services to the medical industry for over 15 years. A Managed Solution Provider You Can Trust. We can help you solve many of your concerns.
PCS World Network, Inc,
P.O. Box 152249
San Diego, Ca. 92195
Off: (619) 272-7593
Fax: (619) 272-7592
By Parita Patel 24By7Security