HIPAA risk assessment tip: Be realistic and reasonable
HIPAA Weekly Advisor, May 3, 2010
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
The HIPAA Security Rule requires a risk assessment, but not over-analysis.
“Don’t overthink it,” says Frank Ruelas, director of compliance and risk management at Maryvale Hospital in Phoenix and principal at HIPAA Boot Camp in Casa Grande, AZ.
Assess the threats that are most likely to occur. Planning how to respond if a meteorite lands on your facility or a blizzard damages the power lines that service your facility doesn’t make sense, he says.
Consider a more likely threat: A virus infects your system when someone accesses files from the Internet, or a laptop computer or flash drive is lost or stolen.
“Every covered entity needs to look at its own environment,” says Ruelas.
Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, president of Margret\A Consulting, LLC, in Schaumburg, IL, advises organizations to assess security from three perspectives:
- Confidentiality
- Data integrity
- Data availability
You don’t need to fill every gap that your risk analysis reveals. “Fill the gaps that are most threatened,” says Amatayakul.
Editor’s note: The preceding is an excerpt of an article in the April 2010 issue of the HCPro, Inc. newsletter, Briefings on HIPAA. See next week's HIPAA Weekly Advisor for more tips.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- HIPAA Q&A: Level of encryption needed for email
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched