Are you ready? Is your facility ready for the new HIPAA compliance Security eviews? Have you heard that the Center for Medicare and Medicaid Services (CMS) is to begin on-site reviews for HIPAA security compliance in hospitals?
It has been six years since HIPAA privacy and four years since HIPAA security were permanently established in the healthcare industry. Since then, privacy and security have been linked together, and this attachment will continue.
As technology evolves and becomes more dominant within healthcare, a thorough understanding of the security standard is critical for optimal privacy practice.
I am sure that most everyone knows what the HIPAA security standards are, but if not I have listed the location for your review and what the final rule specifies. The HIPAA security standards are: The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Department of Health and Human Services (HHS) to establish national standards for the security of electronic health care information.
The final rule adopting HIPAA standards for security was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications.
In health care, we all need to pay attention to where our electronic health information is going because of the fact that our health care information is a target for many cyber space offenders. With so much going on with identity theft and now with medical identity theft, we all have reason to be concerned.
There has been concerns voiced from some citizens to those of hospital administrators and they are being heard when it comes to what is being done about security breeches.
For the first time an agency takes an active approach to limiting the offender’s methods. CMS plans to begins its review and focus on 10 to 20 hospitals, and the results will be published including lessons learned about data security issues.
Before the reviews begin, CMS will post on its Web site a checklist of security practices and issues covered in the rules in order to prepare hospitals on what CMS will be looking for. So how does this news impact you or your organization?
This time that we have before the process begins can be used to conduct an internal audit at your facility. You can use this time to educate your staff. Education should be conducted at every level. So even if you are not working at a hospital HIPAA compliance is a must.
What part of HIPAA should you educate your employees about?
Data Access Policies: This is making sure that users are only accessing data from which they are appropriately authorized.
Storage Policies and Procedures: This addresses the security requirements for media and devices which contain Electronic Protected health Information (EPHI) and are moved beyond the covered entity physical control.
Transmissions Policies: This policy focuses on ensuring the integrity and safety of the EPHI sent over networks.
Every policy that you put into place needs to have required training that goes along with it. No amount of risk analysis and policy development is effective if the workforce does not have an appropriate security workforce awareness and training program.
Deresa Claybrook, MS, RHIT has over 25 years in the health care industry. She is the president of Positive Resource Health Care Industry Consultants, which specializes in Human Resource Management and Health Information Management with a special emphasis on transitioning the health care community to the Electronic Health Record (EHR). She may be reached at (405) 703-1115