Your healthcare practice would be much simpler if all of your work was simply dealing with patients. Unfortunately, the days when all that doctors and practice administrators had to be concerned with was patients is long gone. Today’s litigious climate- combined with government and insurance oversight – has left both doctors and administrators burdened with the bureaucracy of modern medicine. One of those burdensome tasks is the work involved in proving compliance with HIPAA, especially as it relates to Electronic Health Records (EHR’s).
A patient’s information can and should be protected with all of the resources that we can bring to bear on the situation. We all understand that, and we all believe in the sanctity of one’s privacy. The challenge for many small to mid-size practices and healthcare facilities is in understanding what to do in regard to HIPAA compliance as well as determining what they are equipped to do in-house and what parts of the compliance assessment and record keeping could benefit from the assistance of a consultant or specialized service.
When we boil down the regulations concerning EHR’s and HIPAA Compliance we discover the following facts:
A security risk analysis is required in the first reporting year within which a new certified EHR technology is adopted.
Following the first year, (and the required security risk analysis) every following year the healthcare practice is required to conduct an analysis or review prior to the date of attestation.
A risk analysis includes: determining the scope of the review, identifying potential threats and vulnerabilities, assessing the existing security, determining likely threats and their impact, assigning risk levels, and prioritization of remediation and mitigation of risks identified.
Following that initial security risk analysis, an action plan needs to be created to address the issues that were identified in a comprehensive and timely manner. In the years that fall after that initial security analysis of the new EHR certified technology, a review must be completed each year documenting the steps that were taken following the security risk analysis and dealing with any risk issues that have cropped up over time.
According to the Security Rule, the healthcare practice is required to “put into place reasonable and appropriate administrative, physical, and technical safeguards”. (US Department of Health and Human Services)
Some examples of these potential security measures are:
Building Alarm Systems
Shielded Computer Screens
Secure Backup of Data
Written Policies & Procedures
Business Associate Agreements
If you conduct electronic transactions (such as the storage or transfer of patient data or electronic billing), you are required to do risk analysis on all new EHR certified technology as well as the follow-up annual reviews. Apex understands that these involved and technical reviews are necessary but can be cumbersome for the small to mid-size practice. It is for this reason we have put together a group of experts in this field who have the experience to do the work and to guide you through the process.
With the many variations and combinations of makeup among healthcare providers, there is no specific method that the US Department of Health and Human Services requires for these analyses and reviews. Having no definitive checklist for HIPAA compliance is frustrating to some health care administrators, because they know that ultimately, the responsibility for the security of the EHR’s fall on them. Unfortunately, because of the complex diversity of healthcare practices and institutions, a single checklist is impossible. This is where professional cyber-security firms such as Apex come into the picture and work with the health care administrator or owner of a small practice to ensure HIPAA compliance.
Apex recently hosted a webinar on the subject, which can be viewed here to provide more information.
Additionally, CMS put together a handy Tip Sheet to provide an overview of the Security Risk Analysis requirement. The Tip Sheet to can be downloaded by clicking here.
To talk to Apex about your unique HIPAA compliance challenges, give us a call today at (800) 310-2739 or send an email to firstname.lastname@example.org. We have HIPAA experts standing by who would be glad to partner with you and take some of the stress of compliance off of your shoulders.
Looking For A New IT Company?
Download Our Free Guide To Selecting A New IT Firm.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.