HIPAA / HITECH Enforcement – Page 22 – RISC Management and Consulting

In a world of inflated and confusing job titles, a “privacy and security officer” is neither pretentious nor inconsequential – for health care providers, such an officer is crucial.

All health care providers have HIPAA-mandated responsibilities to ensure the adequate protection of individually identifiable health information and are required to officially designate both a Privacy and Security officer.

Among the provisions of the Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA, are specific requirements for handling patients’ health information in all its forms: Electronic, paper and oral.

These rules govern how pharmacies, physicians offices, clinics, life insurers, hospitals, dentists, and all their business partners – including billing agencies, information system providers and even employers — handle patient information designated as Protected Health Information (PHI).

It’s an onerous task ensuring patient privacy and so important that the law requires covered providers to designate both a privacy officer and a security officer on their staff.

Here are some of the responsibilities of a good HIPAA privacy and security officer:

Documents why and where security measures exist, how they were created and how they are monitored.
Keeps essential records regarding a health care provider’s or business associate’s policies in the event of a HIPAA audit or other audit of electronic health records, or a security survey from a business partner.
Compares current security measures to industry standards in safeguarding patient health information.
Develops an action plan for addressing risks and vulnerabilities. In many cases, basic security measures can be highly effective and affordable. Look for “low hanging fruit”, but ensure that a well-documented, consistently updated, and management-accountable project plan is in place to address all gaps and periodic requirements. HIPAA has a significant quantity of periodic requirements!
Develops written policies and procedures about how your organization protects patient’s, or member’s privacy and security, and keeps those records up to date.
Trains your staff on proper handling of all forms of PHI.
Communicates with patients and members and responds to requests and complaints. The Officers should regularly review the Notice of Privacy Practices (NPP), and update it as required, for example, the recent Omnibus Rule required every Covered Entity to update their NPP. The Officers must also be the primary points of contact for patient or member complaints, OCR communications, and questions from members of the organizations workforce.

Privacy and security officers can, and should, do much more, too, including working with your vendors and monitoring business associate compliance, monitoring rule changes and applying for incentive programs.

Please contact RISC Management if you need assistance filling an interim gap, getting a new Privacy or Security Officer up to speed, or assessing a business associate or your own practices. www.RISCsecurity.com 800.648.4358

An Eligible Provider (EP) must attest to all 15 Core Measures of the Meaningful Use Stage 1 requirements in order to qualify for stimulus money. Core Measure #15 requires that Providers complete a series of activities, both initial and follow-on. It is important to note that there is no exclusion from Core Measure #15, that is, it is not an optional or excludable component of the attestation. Eligible professionals (EPs) must attest Yes to having conducted or reviewed a risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure. It is worth noting that Stage 2’s proposed requirements continue to reinforce the importance of Privacy and Security. All providers must achieve meaningful use under the Stage 1 criteria before moving to Stage 2.

RISC Management and Consulting can assist organizations, including medical practices and hospitals alike in performing a risk analysis, understanding the results, determining appropriate remediation steps, and managing security functions on an ongoing basis. RISC was founded by individuals with an extensive healthcare background so we understand your business and the unique challenges it presents!

There is serious risk in attesting to meeting every requirement for Core Measure #15 if you haven’t taken the process seriously. However, with some work and help from the professionals at RISC, you can meet or exceed every requirement for Meaningful Use and help your practice run safer and smoother!

This information provided by RISC Management and Consulting, http://www.RISCsecurity.com