Much continues to happen in the compliance world. Before the turn of the New Year, I found myself helping a number of small practices move through their HIPAA security risk analysis process, which was inspired by their desire to meet the Meaningful Use criteria and receive incentive dollars.
Meaningful Use Core Measure 15 requires the eligible professional to attest “Yes” to having conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure. This only relates to ePHI.
But wait, the federal HIPAA audits are underway. The regulators, through their private auditors, will be looking at privacy and security compliance, risks and best practices. So the providers I assist get a review of both privacy and security gaps and risks, because one cannot operate without the other. The resulting action plan and risk management process incorporate common sense steps to reasonably address our findings, and weave compliance through their regular operations. Both privacy and security must be woven together, especially in the face of breach notification requirements at both the state and federal level.
Not to mention the mandates of the Medicare Conditions of Participation, Medicaid, Joint Commission and both hospital and professional licensing boards for keeping PHI private and secure. A failure to have policies and systems to protect your patient data could lead to headaches on many levels.
For the new year, make it a priority to put your HIPAA and HITECH house in order. You can't afford to work in a silo, addressing only electronic security or only privacy protections. Both items must be on your to-do list. Let me know if I can help.
No comments:
Post a Comment