Archive for Policies and Procedures
CMS’ Office of E-Health Standards and Services has posted what serves as an audit checklist on the CMS website. Look for the document entitled “Information Request for Onsite Compliance Reviews,” which highlights areas of vulnerability associated with the security of electronic PHI.
Want a preview of the upcoming November edition of Health Information Compliance Insider, HCPro’s eight-page newsletter? Take a look at this CMS HIPAA compliance review study. We analyze the report and give you tips what to learn from it.
Go here for more information about the newsletter.
In constructing your HIPAA risk assessment, involve individuals from all levels of your organization and all user groups, says Frank Ruelas, director of compliance and risk management at Maryvale Hospital in Phoenix and principal at HIPAA Boot Camp in Casa Grande, AZ. For example, data entry staff members, the manager of IT infrastructure, and the individual in charge of IT can all provide valuable input to the risk assessment.
Take a holistic approach with your risk assessment, says Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, president of Margret\A Consulting, LLC, in Schaumburg, IL. For example, HR managers may be able to provide input for developing policies about training your workforce.
Build and develop collegial relationships, says Ruelas. Physicians from one practice can consider working with trusted colleagues from another practice and conduct the risk assessment together, he says.
Editor’s note: The preceding is an excerpt of an article in the April 2010 issue of the HCPro, Inc. newsletter, Briefings on HIPAA. See next week's HIPAA Weekly Advisor for more tips.
Are there requirements or standards that advise how long a CE should retain audit logs of system activity (login, read, modify, etc.) and logs of security breaches? If not, what are other providers/hospitals doing?
Linda Kristie
Consider these factors during any internal HIPAA privacy breach investigation:
- Intent. Were a staff member’s actions intentional or accidental? Was the breach a result of the staff member’s curiosity or concern? Was there personal gain or malicious intent? A staff member who accessed a patient’s medical record to sell information to a tabloid newspaper would incur greater sanctions than a colleague who inadvertently left information visible on a computer monitor.
- Risk potential. Did a patient suffer financial, reputational, or some other type of harm? (HHS’ breach notification interim final rule includes guidance asks the same question using the concept of “harm threshold”). Did the organization suffer harm resulting in regulatory action, including penalties and fines, or licensing, legal, and reputational problems? “Even the simplest mistakes could result in harm to the organization,” said Nancy Davis, MS, RHIA, director of privacy/security at Ministry Health Care, an integrated healthcare system based in Wisconsin.
Editor’s note: These tips were adapted from an article in the March 2010 edition of the HCPro, Inc. newsletter, Briefings on HIPAA. Look for more tips next week.
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!
Click here