Business associate assessments are notoriously burdensome and time consuming for both covered entity and the business associate (BA). But the typical 300-question survey can be significantly narrowed by focusing on the most critical and problematic issues.
Healthcare organizations and their third party vendors have an obligation to the federal government and their patients to abide by the HIPAA regulations. Unfortunately the very foundation of social media opposes everything in relation to the privacy, security, and confidentiality of information. Social media allows for anyone to see your organizations information, at any time, in any part of the world.
We are starting to see Chief Information Security Officers (CISOs) reporting outside of Information Technology (IT). This makes sense because the CISO needs to be able to audit the IT controls and give an unbiased report to senior management.
We read about healthcare organizations that get fined by the OCR for basically doing nothing, meaning that they have a general lack of evidence of due diligence for HIPAA.
Reviewing some of the largest fines can help healthcare organizations learn how to avoid them should an incident occur. Many experts say that it isn’t IF an incident will occur, it’s WHEN.
Adding a cybersecurity tactical simulation test to an overall information security risk assessment is a must in today’s world. It is a sure bet that attacks and breaches will continue to occur and so the need for functional assessments, mitigation, awareness and response are key to protecting your organizations confidential information.
Imagine trying to come up with the top ten things our planet should do to decrease vulnerabilities and threats. Looking at earth from 30,000 feet can make that seem easier to do. But if we zoom in to the details we could probably come up with hundreds of things to consider. The same is true with health information privacy and security. To come up with what we consider to be the top ten things to do to pass an Office for Civil Rights (OCR) audit and reduce risk of unauthorized access to your protected health information (PHI), we had to zoom out and look at what we have observed over the past several years from a very high level. Our top ten things to do are not listed in any particular order. Keep in mind that our top ten today will most likely change very soon and at least year to year. Here they are:
A concern in security risk assessment is ongoing PHI breaches. A proper HIPAA risk assessment tool such as PHI Vulnerability Assessment can help.
How to Prepare for a HIPAA – HITECH Audit (Journal of Healthcare Information Management – (JHIM) – Spring 2012 – Used by permission from HIMSS). Covered entities (CEs) and business associates (BAs) can now clearly see the “HIPAA police” up ahead on the “side of the road”.
(Journal of Healthcare Information Management – (JHIM) – Fall 2011 – Used by permission from HIMSS) A question that we have been asked by a number of our clients over the past six (6) months is: “What do we really need to do for Meaningful Use (MU) Stage 1 in regards to information security risk analysis?”