TIP: Tighten your HIPAA security policies and procedures
HIPAA Weekly Advisor, January 5, 2009
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Editor’s note: This is a continuation from last week’s HWA, where we provided tips to help ensure that your HIPAA security measures are properly in place. The tips are from Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA, and John Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD:
- Keep your training programs active. Beef up training, especially for remote access employees, many of whom use mobile devices. “Make sure people understand there are rules of engagement,” says Parmigiani. Update your training process frequently to reflect regulatory changes, and offer training via various delivery methods. Don’t limit it to classroom settings or online training. Mix it up and make it ongoing, he adds.
- Act fast. You need to have an excellent detection and incident response program in place in the event that a violation occurs.
- Know who your players are. HIPAA security auditors undoubtedly will ask who is responsible for what at your facility. All staff members should be able to explain what they do and why, says Parmigiani.
- Document compliance. “Lawyers will say if it’s not documented it did not happen,” says Borten. “If it’s not in the record, I don’t have any evidence that it happened.” Ensure that you are audit-ready by thoroughly documenting your efforts to remain compliant.
- Prepare for auditors, even if your facility is small. Smaller hospital systems are not impervious to an audit, say Borten and Parmigiani. In announcing HIPAA security reviews, CMS said it would concentrate mostly on larger facilities or those that were the subject of a number of complaints. “To date that’s what [it has] done,” says Parmigiani. “But I don’t think it necessarily excuses a small organization from being audited.” Parmigiani predicts that CMS will target some smaller facilities just to show that no one is safe from a potential audit. Borten knows of an organization—and not one of the larger ones—that CMS audited. “The likelihood is less, but do not think you’re off the hook if you’re a smaller hospital.”
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Comments
0 comments on “TIP: Tighten your HIPAA security policies and procedures ”
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- HIPAA Q&A: Level of encryption needed for email
- Identify potential Medicaid RAC target areas
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- CHANGES COMING: Key differences in nationwide rollout
- Searched