HIPAA, MU and the Security Risk Assessment
How do you feel about your organization’s adherence to the current state of HIPAA regulations?
Full HIPAA compliance goes far beyond just a Notice of Privacy practices and an email signature. Among other things, all providers are required to conduct a Security Risk Assessment and then follow that up with an Action Plan to address any weaknesses and ensure compliance going forward. Has your organization gone through this process? When was the last time it was updated?
The Risk Assessment, in particular, has been getting a bunch of extra attention lately, because it is part of the criteria for Meaningful Use. However, even if you are not attesting to MU, it is still an important component of HIPAA compliance in general.
Unfortunately, there is not a whole lot of official guidance on exactly what a Security Risk Assessment entails. CMS has created a ‘tipsheet’ which provides some helpful information and answers. (Download Here)
From the CMS document:
There is no single method or “best practice” that guarantees compliance, but most risk analysis and risk management processes have steps in common. Here are some considerations as you conduct your risk analysis:
- Review the existing security infrastructure in your medical practice against legal requirements
and industry best practices
- Identify potential threats to patient privacy and security and assesses the impact on the
confidentiality, integrity and availability of your e-PHI
- Prioritize risks based on the severity of their impact on your patients and practice
Clear as mud, right? Fortunately there are some better resources available.
One of the best that I have found is a book by Robert Brzezinski, titled HIPAA Privacy and Security Compliance – Simplified.
This is essentially a ‘Do It Yourself’ manual for the Security Risk Assessment and HIPAA compliance in general. It is specifically aimed at small and medium sized healthcare practices, who are less likely to be able to afford expensive consulting fees or dedicated information security personnel.
From the introduction:
“This book is the doers guide to implement the risk management program and improve the information security and compliance posture of the organization.”
The book is composed of 3 main sections:
- A general overview of HIPAA laws and reasoning
- A step by step plan for creating your own risk assessment and security policy, divided into approximately 25 ‘day’ increments
- A set of sample policy and procedure documents that can be adapted and customized with little additional effort.
In addition to the printed text, the author will also provide (by email) a set of spreadsheet and document templates that can be downloaded and used in each step of process.
If you work through the entire process laid out in the text, you will end up with a comprehensive Security Risk Analysis for your practice, a procedural framework for accommodating future growth and changes, and a full set of HIPAA compliance documents and policies
In short, this $50 book can potentially save you thousands of dollars in consultant fees, and deliver a comprehensive solution that you and your staff can fully understand and commit to. I highly recommend it for anyone who is less than certain about their full compliance with HIPAA regulations.