HIPAA Security Rule
Organizations that create, store, process, or transmit healthcare information are required to be fully compliant with the provisions of the HITECH Act and the HIPAA Security Rule. This includes medical and dental practices, retirement communities, and any business associates that provide services that involve protected health information.
According to the American Medical Association website, "with HIPAA compliance dates having now passed in respect of the privacy regulations and the transaction and code set requirements, physicians now have a notion of what to expect. The thought of security compliance should not be a shock; nonetheless, compliance will not happen overnight. Remember that security is a flexible, scalable concept, and thus inherently manageable—with adequate time and preparation."
Perhaps the most significant change to the HIPAA Security Rule is the requirement for HIPAA-covered entities and their business associates to provide notification in the event of a breach of “unsecured protected health information (unsecured PHI).” This means, for example, that if a hacker were able to gain access to a physician practice’s computer system, laptop, tablet, PDA, etc. that contained PHI that was not encrypted, the physician practice may need to notify the affected patients and the Department of Health and Human Services (HHS) of the breach. In some cases, the physician practice would also need to notify the media. Therefore, not only can lack of compliance result in reputational harm to your practice, it can risk exposure of your patient’s most sensitive information.
Concerning Cyber Threats:
“Cyberattacks are the largest single threat to the delivery of healthcare in the US.” – Steve Curren, Director of the Office of Emergency Management, Division of Resilience HHS Assistant Secretary for Preparedness and Response.
We have been helping practices of all sizes with Security Rule compliance. Health and Human Services (HHS) and the Office for Civil Rights (OCR) have been enforcing the provisions of the HITECH Act with vigor and their actions have extended to practices of all sizes. Clearly, they are sending the message that no one is exempt from the provisions of the HITECH Act or related enforcement actions.
Compliant? Do You Have These Areas Covered?
- Have you completed and documented the required Risk Analysis that is compliant with the Security Rule guidelines? Is it current?
- Do you have the required Breach Notification plan in place? Have you trained your personnel within the last 12 months regarding the plan?
- Do you have the required written documentation showing your ongoing monitoring and compliance efforts?
- Do you have the required written disaster recovery and business continuity plans?
- Are your privacy notices and business associate agreements up to date?
- Does your staff training cover all areas required by the HITECH Act and Security Rule?
- Do you have documentation that shows how you have addressed ALL the implementation specifications of the Security Rule?
What TEG Can Do For You!
We can help you through this process. Implementation is time-consuming; ongoing maintenance is less so. Through a series of structured meetings, we direct your focus to specific target areas and give you the guidance, templates, and information requirements to help you successfully complete one area at a time. Without a structure, this project will easily overwhelm even the most sophisticated practice. We help you stay focused and on track with agendas and task lists that take this one step at a time.
We provide the support to coordinate and run a series of periodic meetings with your staff and IT support personnel, minimizing wasted time and effort and keeping the project moving ahead. Again, we provide sample procedures, documentation, and templates so your team is not wasting tie creating procedures from scratch.
We provide as much or as little support as your practice requires. We can act purely in a consulting manner or can provide on-site help to conduct interviews and do the information gathering tasks if your staff cannot find the time.
Contact us today to learn more!