 |
|
Our
Risk Management Department is staffed by experienced
professionals with legal and clinical backgrounds.
This combination provides our client with assistance
from staff who have a thorough understanding of
both the clinical situation and the legal issues
and their implications. Our programs and services
include:
· Risk identification
· Risk reduction
· Loss prevention
· Risk management education
We identify and implement sound risk management
services to help you avoid potential incidents
and lawsuits.
|
|
|
 |
|
IMPORTANT
THINGS TO KEEP IN MIND ABOUT HIPAA'S SECURITY RULE
Reprinted
from Rx for Risk Volume 13 Issue 1 (Winter 2005)
For
providers covered by HIPAA:
- Compliance
is required by April 20, 2005.
- Remember
that HIPAA's Security Rule only applies to electronic protected
health information that a covered provider creates, receives,
maintains, or transmits.
- Like
the Privacy Rule, the Security Rule is scalable and flexible;
the technologies used by a solo psychiatrist to comply may
be very different than the technologies utilized by a large
hospital system. However, regardless of the size of your
organization, all Security Rule requirements must be addressed.
Here
is what HHS has said in a FAQ:
"The
security standards regulation allows any covered entity
(including small providers) to use any security measures
that allow the covered entity to reasonably and appropriately
implement the standards. In deciding what security measures
to use, a covered entity can take into account its size,
capabilities, and costs of security measures. A small provider
who is a covered entity would first assess their security
risks and vulnerabilities and the mechanisms currently in
place to mitigate those risks and vulnerabilities. Following
this assessment, they would determine what additional measures,
if any, need to be taken to meet the standards, taking into
account their capabilities and the cost of those measures."
[How could a small provider implement the security standards?
Answer ID 1852, http://questions.cms.hhs.gov, accessed 12-15-04]
- The
security standards are technology-neutral; the standards
indicate what must be done, but do not require specific
technology.
- Remember
that the Privacy Rule (covering all forms of protected health
information - paper, oral, and electronic) contains a "mini"
Security Rule:
"Covered entities must have in place appropriate administrative,
technical, and physical safeguards to protect the privacy
of protected health information." [§ 164.530(c)(1)]
The Security
Rule addresses what the administrative, technical, and physical
safeguards are for electronic protected health information.
- The
requirements of the Security Rule are based on a reasonableness
standard [§ 164.306(a)] - covered entities must:
*protect
against any reasonably anticipated threats or hazards to
the security or integrity of protected health information,
and
*protect
against any reasonably anticipated uses and disclosures
not permitted by the Privacy Rule and other more stringent
laws.
- Because
the Security Rule represents good business practices for
protecting confidential electronic health information, you
may already have in place many, if not most of the security
items required by the Security Rule. You may find that all
you need to do is to document how you are already meeting
the security standards.
For
providers NOT covered by HIPAA:
- Similar
to the Privacy Rule, the Security Rule is a floor of security
protections to maintain the confidentiality of patient information.
- The
Security Rule's requirements may be viewed as the standard
for the protection of confidential electronic health information,
which all providers -including those not covered by HIPAA-
may be expected to meet or exceed.
- HHS
has indicated that the Security Rule's standards are good
business practices for all healthcare businesses, especially
[but not limited to] entities covered by HIPAA.
Back
to HIPAA Help menu
|
|
