Ten misconceptions about HIPAA privacy and security rules
HIM-HIPAA Insider, October 28, 2013
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
by Jaclyn Fitzgerald, Associate editor
With most of the provisions of the HIPAA omnibus rule now in effect, it is important for you to separate fact from fiction when it comes to HIPAA compliance. HealthIT.gov recently published a list of the top 10 security risk analysis myths, and proceeded to set the record straight so covered entities and business associates can continue on their path to compliance.
The following is breakdown of the myths and realities on the list:
- Myth: The security risk analysis is optional for small providers.
Reality: All HIPAA covered entities and providers who want to receive EHR incentive payments must conduct a risk analysis. - Myth: By installing a certified EHR, you fulfilled the security risk analysis meaningful use requirement.
Reality: You must perform a full security risk analysis of a certified EHR. Security requirements apply to all ePHI maintained by your organization, not just what is in your EHR. - Myth: Your EHR vendor took care of everything you need to do with regard to privacy and security.
Reality: Your organization is responsible for conducting a complete risk analysis. EHR vendors are not responsible for ensuring their products comply with HIPAA privacy and security rules. - Myth: You need to outsource the security risk analysis.
Reality: Small practices can often perform their own risk analysis by relying on self-help tools. However, a thorough risk analysis that stands up to a compliance review likely necessitates the assistance of expert knowledge outside your organization. - Myth: A checklist will suffice for the risk analysis requirement.
Reality: Checklists can aid you in starting your risk analysis, but cannot help you perform or document a systematic security analysis. - Myth: You need to follow a specific risk analysis method.
Reality: There are many ways to perform a risk analysis. OCR’s Guidance on Risk Analysis Requirements of the Security Rule aids organizations in identifying and implementing safeguards for securing ePHI. - Myth: A security risk analysis only needs to focus on your EHR.
Reality: Your organization should review all electronic devices that store, capture, or modify ePHI, including hardware, software, and devices that access EHR data. For more information, review the HHS guidance on remote use. - Myth: You only need to perform a risk analysis once.
Reality: You must continuously review, modify, and update security protections. For more information, review Reassessing Your Security Practice in a Health IT Environment on the HealthIT.gov. - Myth: You must fully mitigate all risks before attesting for an EHR incentive program.
Reality: As part of its risk management process, EHR incentive programs require you to correct deficiencies identified during the risk analysis during the reporting period. - Myth: You need to redo your security risk analysis each year.
Reality: When you adopt an EHR, you should perform a full security risk analysis. After that, you should review your prior analysis for changes in risks as you make changes to your electronic systems. Reviews are required for each EHR meaningful use reporting period.
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Related Products
Most Popular
- Articles
-
- Don't forget the three checks in medication administration
- Note similarities and differences between HCPCS, CPT® codes
- The consequences of an incomplete medical record
- Complications from immobility by body system
- Practice the six rights of medication administration
- Q&A: Primary, principal, and secondary diagnoses
- Nursing responsibilities for managing pain
- OB services: Coding inside and outside of the package
- Prevent dehydration with nursing interventions
- Differentiate between types of wound debridement
- E-mailed
-
- Correctly bill ancillary bedside procedures in addition to the room rate
- Coding, billing, and documentation tips for teaching physicians, interns, residents, and students
- Coding tip: Watch for different codes for SI joint injections
- Q/A: Understand requirements for separately reporting CBC with manual differential
- Q/A: Coding infusions to correct low potassium levels
- Q&A: Utilization Review Committee Membership
- Q&A: Bill blood administration the same way for inpatient and outpatient accounts
- OB services: Coding inside and outside of the package
- Know the medical gas cylinder storage requirements
- Intravenous therapy guidelines
- Searched