Automating your HIPAA Compliance Methods may be a bit daunting when presented as a whole. It’s impossible to effectively obtain HIPAA compliance by yourself these days. Since the introduction of the HITECH Act and the new Omnibus Rule, Things have only become more difficult. Now that most practices have moved to an EHR system, network security has become of utmost importance. Risk Management is no longer a task that can be internally maintained by a small family practice.
The most effective method for preventing data breaches is performing regular Risk Analyses on your network, and workplace. Ensuring Administrative, Technical, and Physical Safeguards are being met will make data breaches far less likely to happen. Knowing when to perform the Risk Analysis can also be a tricky concept. Health and Human Resources enjoys being vague and non-descriptive when it comes to some Risk Analysis necessities, so here are a few questions to ask when considering whether or not to perform a Risk Analysis for your company this quarter.
The Test Questions
- – Have you recently moved to or updated your EHR system?
- – When was the last time you conducted a Company Wide Risk Analysis?
- – Has your workforce received adequate HIPAA Security Training and Limited Access?
- – Have you updated any hardware within your network?
- – Have your passwords been change in the last 90 days?
After assessing some of these questions you will be able to better decide if a Risk Analysis needs to be performed. Once the risks within your network are identified via your Risk Analysis, you need to make a plan of action. This plan of action should be incorporated into your Policies & Procedures. “SEC. 1173. (a)(b). Your Policies & Procedures should also be practice specific and comprehensive. Example :
- – Firewall Security.
- – Battery Backup System
- – Malicious Software Prevention (Kaspersky).
- – Automated Password Changes every 90 days.
- – Windows logging activated and addressed daily.
- – Server Logging and addressed daily.
- – Assigned Access per employee.
Plan of Action & Business Associates
Your plan of action may be the only thing keeping you from accruing large financial penalties under HITECH and the Omnibus Rule. Risk Management should be on top of the priorities list with your Administrative staff. When implemented correctly and efficiently, you can show any auditor that “Reasonable and Appropriate” efforts are being made to keep ePHI secure. When we evaluate the workplace, the network and workstations are scanned completely in order to provide you with a broad overview of what can be done to provide a secure network and workplace.
Since the HITECH Act and The Ombinbus Rule have passed, HIPAA now requires that all Business Associates and subcontractors be HIPAA compliant as well. Unless a business associate doesn’t deal with PHI or ePHI like in the exceptions stated in Section 45 CFR 164.502(e)
These new rules go deeper than one might imagine. They include almost all of your known Business Associates! That being said, it is very important that if your Business Associates refuse to sign a BAA , you look elsewhere to provide your clients a safe, HIPAA Compliant clinic. As a Covered Entity
You are already carrying the majority of the liability, but the new Omnibus Rule provides a way to disperse the liability, and give credit where it’s due. The best way to maintain working relationships with your current Business Associates is to show them where to obtain training. You may also want to obtain help in retrieving and verifying BAA’s(business associate agreements) and HIPAA Compliance Audits within your Business Associates. Business Associate Management is a very effective way to show progress towards compliance as long as you maintain the correct documentation.
Health IT Findings
What we in Health IT are finding is that, in a world of Servers, computers, tablets, and smartphones the need for a competent IT company is so important! Finding an IT company to manage your network is never easy from a health care perspective. The company you choose not only has to be HIPAA compliant, but his network of Business Associates have to be compliant as well. There are very few companies out there that are willing to take the risks and still maintain HIPAA compliance. A company like Proponent IT can provide all the health IT and mana services you need to automate your HIPAA Compliance Process