As a healthcare provider, much of the Electronic Protected Health Information (ePHI) you maintain and share with other entities is crucial to your business and important in the care you provide to your patients.
Lost or stolen laptops, identity theft, malfunctioning computers and hackers are just a few of the risks you face when you receive, store, and transmit electronic health information.
Providers face major troubles if their patient’s ePHI is stolen, lost, misused, incorrect or if it is unavailable.
The US Department of Health and Human Services (HHS) developed and signed into law the HIPAA (Title II) Administrative Simplifications.
The Administrative Simplifications included the security rule to insure that covered entities, including small and medium-size providers like you, guard against security incidents.
Furthermore, to make sure that organizations take steps to protect ePHI, the law included increased requirements, penalties and investigative authority.
Although there are many core elements that make up the security rule, a documented risk analysis is seen as one of the most important by HHS.
The purpose of making you perform a risk analysis is to help you identify when and where there’s a risk where someone could compromise the confidentiality of your ePHI, inappropriately alter or delete the ePHI, affecting it’s integrity or if ePHI might not be available when needed.
Another key requirement is that you establish security measures to decrease risks to a reasonable and appropriate level. While complete protection from risk is impossible, HHS feels that by having good policies and procedures in place you can help protect your ePHI against risks that can be reasonably anticipated.
The point is, that by law and under the threat of huge penalty, your office
must have on record, documentation of the following:
- Detailed, Policies and procedures regarding ePHI
- A documented risk analysis including a review of:
- SYSTEM CHARACTERIZATION
- THREAT VULNERABILITY IDENTIFICATION
- CONTROL ANALYSIS
- LIKELIHOOD DETERMINATION
- IMPACT ANALYSIS
- RISK DETERMINATION
- CONTROL RECOMMENDATIONS
- RESULTS DOCUMENTATION
- A CONTINGENCY PLAN
- DOCUMENTED STAFF TRAINING
Sometimes I think politicians with better things to do, spend their time thinking of things for us to do as though we had nothing better to do.