Protecting Patient Information is Job #1 after Providing Proper Care

The old adage, “success is 2% inspiration and 98% perspiration” also applies to HIPAA Privacy and Security. It is one thing to know what you need to do, but it is another to actually follow through and do it.

With the requirements of HIPAA and MACRA/MIPS, practice administrators and providers are tasked with completing a Security Risk Assessment (a.k.a. Risk Finding Summary)– whether done internally or through a third party. The practice usually thinks that they have done one, or plan on doing one internally or with an outsourced IT firm. However, in reality, qualified IT folks typically have gone through and recommended or provided a few hardware or network items, as well provided some suggestions in protecting patient information. ALERT: THIS IS NOT THE FULL SECURITY RISK ASESSMENT that HIPAA requirements have in mind. Properly installed hardware and software to protect vulnerabilities is only a third of what is required. A practice must look at potential vulnerabilities with the physical and administrative aspects of protecting patient information. Furthermore, and equally important, is that installing some IT solutions does not generate a Corrective Action Plan (a.k.a. Risk Strategy Recommendation Plan).

Commonly, a Corrective Action Plan is not fully understood by most healthcare organizations. A Corrective Action Plan identifies the vulnerable areas of the practice (as it relates to PHI – Protected Health Information) and provides a way to track as well as reduce the risk strategy effort.

The Corrective Action Plan is a “living document” that is reflective of the findings from the most recent Security Risk Assessment. The data of all the risk are then mapped back to the infrastructure (both IT and general) to help prioritize the fixes. It is considered “living” because it contains tasks based on risk that need to be addressed by the practice. While the tasks are prioritized by risk level and impact to the organization, they generally can never be done quickly. Therefore, the document “lives” by having the responsible person(s) updating the progress of the tasks to be completed. This process is to be iterated throughout the year until the next Security Risk Assessment is performed. At that time, a new and revised Corrective Action Plan is created.

The keys to successfully protecting PHI, is to understand how to complete a Security Risk Assessment that properly identifies the risks, and how to generate a Corrective Action Plan that prioritizes those risks. By tackling these two items, a strategy can be formed for how the majority of a practice’s vulnerabilities can be mitigated. Of equal importance, is making sure that someone within in the organization is following through and completing the outstanding tasks, or that you are working with someone to help you remediate them.

Remember, a Security Risk Assessment does not just encompass your IT setup, it covers much more. Additionally, a Security Risk Assessment is not considered complete unless there is a Corrective Action Plan going forward.

Todd Greenberg
GSG Compliance
www.gsgcomplaince.com
tgreenberg@gsgcomplaince.com

Protecting Patient Information is Job #1 after Providing Proper Care

Share This Story, Choose Your Platform!

Related Posts

Fortune Management’s “Road to Recovery – Hygiene Edition” featuring Hygiene Mastery

Thinking About Buying or Selling a Practice During the Pandemic Recovery? What You Need to Know.

COVID-19 Shutdown: Force Majeure and Rent Relief

How To Approach Your Landlord To Ask For Rent Relief

Emergency Families First Coronavirus Response Act