Imagine trying to come up with the top ten things our planet should do to decrease vulnerabilities and threats. Looking at earth from 30,000 feet can make that seem easier to do. But if we zoom in to the details we could probably come up with hundreds of things to consider. The same is true with health information privacy and security. To come up with what we consider to be the top ten things to do to pass an Office for Civil Rights (OCR) audits and reduce risk of unauthorized access to your protected health information (PHI), we had to zoom out and look at what we have observed over the past several years from a very high level. Our top ten things to do are not listed in any particular order. Keep in mind that our top ten today will most likely change very soon and at least year to year. Here they are:
(Journal of Healthcare Information Management – (JHIM) – Winter 2014 – Used by permission from HIMSS). By now we all know that “ePHI” refers to electronic protected health information. Unfortunately, based on the number of breach notifications we read about, it seems that PHI has been anything but protected. The authors continue to receive e-mails that report breaches on a regular basis. There are even questions being raised about the privacy and security controls or lack thereof on the federal health insurance exchange website. It is difficult to imagine that the federal government’s website for healthcare insurance exchange is not in compliance with the federal government’s HIPAA OMNIBUS Rule.
How to Prepare for a HIPAA – HITECH Audit (Journal of Healthcare Information Management – (JHIM) – Spring 2012 – Used by permission from HIMSS). Covered entities (CEs) and business associates (BAs) can now clearly see the “HIPAA police” up ahead on the “side of the road”.
(Journal of Healthcare Information Management – (JHIM) – Fall 2011 – Used by permission from HIMSS) A question that we have been asked by a number of our clients over the past six (6) months is: “What do we really need to do for Meaningful Use (MU) Stage 1 in regards to information security risk analysis?”