HIPAA Risk Management

  • Home
  • HIPAA Risk Management

Are you prepared, do you have an advocate, a trusted advisor to help you navigate your way through the mass of information? Is your organization at regulatory risk for something easily identified? Do you have a compliance officer? Who is responsible for compliance? Who pays the fines for non compliance? What is Private Health Information (PHI) and what are my risks? Non health care professionals need to be educated if they have access. Who has access to your information?

We can provide comprehensive education for individuals, groups and vendors. The training and education program combines self-paced online lessons, multimedia content, certification exams and hands-on practical experience with access to a real-world certified EMR solution. Continuing Education Credits (CEU) and college credit available.

What should a medical practice do to become HIPAA compliant?

Complying with HIPAA may be simpler than you think. There are three basic steps every medical practice should take to be HIPAA compliant:

1) Conduct a risk analysis.

A risk analysis provides a map to HIPAA compliance. The risk analysis may identify gaps in network security, privacy policies, HIPAA training, or other vulnerabilities. The analysis also provides guidance on correcting these problems. A risk analysis is the first requirement of the HIPAA Security Rule, and it is also a core requirement of Meaningful Use.

Every medical practice must conduct a risk analysis and review it annually.

The government recommends using experienced security experts to conduct the risk analysis: “Doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.” – ONC Guide to Privacy & Security of Health Information

2) Implement HIPAA documentation.

Every medical practice needs updated HIPAA documentation, including HIPAA-compliant policies and procedures, Business Associate Agreements, and the Notice of Privacy Practices (NPP). This documentation must be updated to reflect the requirements of the HIPAA Omnibus Final Rule of 2013. Implementing proper policies and procedures is critical to preventing data breaches! You must sign updated Business Associate Agreements with all vendors who come into contact with your patients’ Protected Health Information (PHI).

3) HIPAA training.

Every staff member who comes into contact with PHI must have HIPAA workforce training. This brief, affordable training will help staff to understand the law’s requirements and provides practical advice on preventing breaches. The law also requires every medical practice to designate a Security Officer, a staff member who helps to ensure compliance. The Security Officer should have more comprehensive training than other members of the workforce, for a greater understanding of HIPAA requirements.

HIPAA training must be conducted annually, and evidence of training compliance should be kept on file in case of audit or breach investigation.