Q&A: You've got questions! We've got answers!
Physician Practice Insider, May 16, 2017
Submit your questions to Editor Karen Long Rayburn at klong@decisionhealth.com, and we will work with our experts to provide you with the information you need.
Q. Since our last risk analysis, we’ve added a patient portal. Do we need to include the patient portal in our risk analysis?
A. Yes, because it represents a potential threat to your patient’s protected health information (PHI). When you make any significant change to your IT infrastructure or make any major changes to your business or clinical practices, it’s recommended that you assess the risk before the change and after the change. If a risk analysis was conducted within a year of that change, there isn’t a reason to completely redo the risk analysis, though. A full risk analysis should be conducted annually, especially if you’re receiving Meaningful Use (MU) dollars.
When systems change, like adding a patient portal, it’s a good idea to assess what those changes mean as it relates to risk and mitigate identified risks before making the change. After the change is made, check to make sure the risks you identified and addressed were actually mitigated and that no new risks arise that could threaten your patient’s PHI. This should be included as a process in your risk management program. A risk management program is sound security practice and is a HIPAA and MU requirement.
Editor’s note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your questions to Editor Karen Long Rayburn at klong@decisionhealth.com.
Related Products
Most Popular
- Articles
-
- CMS seeks comment on quality measures
- Practice the six rights of medication administration
- Don't forget the three checks in medication administration
- Note similarities and differences between HCPCS, CPT® codes
- Nursing responsibilities for managing pain
- CMS creates web portal for questions about 1135 waivers, PHE
- Q&A: Primary, principal, and secondary diagnoses
- ICD-10-CM coma, stroke codes require more specific documentation
- OB services: Coding inside and outside of the package
- The consequences of an incomplete medical record
- E-mailed
-
- Coronavirus vaccination: 4 best practices for communicating with patients
- Q&A: Pressure ulcer POA code confusion resolved
- Neurological checks for head injuries
- Keyes Q&A: Generator lighting, fire dampers, eyewash stations, ISLM fire drills
- Including 46600 in E/M leveling systems
- How to get reimbursed for restorative nursing
- Fetal non-stress tests represent important part of maternal and fetal health
- Coding, billing, and documentation tips for teaching physicians, interns, residents, and students
- Coding tip: Know how to correctly code each procedure an otolaryngologist can perform on turbinates
- Coding Clinic reiterates guidelines for provider documentation
- Searched