Invite a Friend

Sitemap

Home

Technology
e-Newsletter

Intelligence Unit

Special Reports

Special Events

Subscribe/Buy

Sponsored

Departments

Follow Us

Home > Technology > Tech News & Analysis

HIPAA Compliance Questions to Ask as HITECH Date Nears

Comment

RSS

News Widget

Dom Nicastro, for HealthLeaders Media, February 15, 2010

Apgar says the security rule requires covered entities and BAs to ask these questions:

Have I conducted a risk analysis lately, and did I properly document it, mitigate damages and document where risks were acceptable?

Is my privacy/security training current? Do I train new workforce members who will have access to personal health information (PHI)? Do I regularly conduct refresher training for all staff? Do I send out security reminders?

Are my policies and procedures complete, current and enforceable? Have I trained workforce members on the policies and procedures they are required to adhere to?

Have I implemented a comprehensive audit program (the security rule requires three periodic audits and an "evaluation" or compliance audit)? When did I last conduct an "evaluation"? Did I address audit findings, and did I properly document it?

Do I have current, up-to-date, and communicated disaster recovery and emergency mode operations plans and have they been tested recently?

Do I follow CMS' remote access guidelines (not necessarily part of the rule, but CMS' earlier indicated remote access management would be included as an audit criteria)?

What am I encrypting (e.g., data in transit, data at rest, etc.), and how am I protecting non-electronic PHI (breach notification and the privacy rule's "mini-security rule" requiring administrative, physical, and technical safeguard implementation for non-electronic PHI)?

OCR will be auditing facilities to check for HIPAA compliance, though it says it does not know when.

It will audit entities of all sizes from the sole practitioner to the multi-state healthcare corporation. And it's good to remember, Apgar says, that if any complaint is filed with OCR alleging willful neglect or suspected willful neglect, OCR is mandated by statute to investigate.

Above all, go back to the drawing board and make sure you're HIPAA compliant.

"It's difficult to comply with HITECH if you haven't complied with HIPAA in the first place," Apgar says.

Dom Nicastro is a senior managing editor at HCPro, Inc. in Danvers, MA. He edits the Briefings on HIPAA newsletter and manages the HIPAA Update Blog. E-mail him at dnicastro@hcpro.com.

1 | 2

RSS

Archive

Be the first to make a comment

Comments are moderated. Please be patient.

Web Exclusive: HHS Issues Civil Money Penalty for Privacy Rule Violations

The Office for Civil Rights has issued its first civil money penalty to a covered entity for violations of the HIPAA Privacy Rule, according to the Department of Health & Human services.

Nurse accuses hospital employees of posting Facebook photos of sedated patients

A former nurse is seeking more than $15 million from a Tyler hospital alleging she was fired after complaining about employees taking pictures of sedated patients and posting the pictures on Facebook. Debbie...

HHS Proposes ’Significant’ Changes to HIPAA Privacy, Security

The proposal would modify HIPAA privacy, security, and enforcement rules. It also calls for greater HIPAA compliance for business associates (BAs) of covered entities and for strengthening the HIPAA...

Book: The HIPAA and HITECH Toolkit

The HIPAA and HITECH Toolkit is a valuable resource that helps both CEs and BAs understand and meet the HITECH Act's expanded HIPAA Privacy and Security rules and ensure compliance. It...

go to complete list