PHI Compliance Requirements Webinar Questions/Answers – Part 4
On July 30, 2014 we hosted a webinar event with national HIPAA expert, Edward Jones. The event attracted almost 800 registrants so naturally there were a ton of questions. We decided to share the Q&A with our entire audience in a four-part series. You can follow Ed on Twitter @HIPAAsafeguards.
Read Webinar Questions/Answers – Part 1
Read Webinar Questions/Answers – Part 2
Read Webinar Questions/Answers – Part 3
1. How often are EHR risk assessments required? Is it prior to each reporting period or prior to the reporting year?
Answer: “[T]he implementation of certified EHR Technology has privacy and security implications under 45 CFR 164.308(a)(1). A [risk analysis] review must be conducted for each EHR reporting period and any security updates and deficiencies that are identified should be included in the provider’s risk management process and implemented or corrected as dictated by that process.”
77 Federal Register 54002, September 4, 2012.
2. Where is the best place to find sample policies?
Answer: Our HIPAA Safeguard product, which you can find on www.HIPAASafeguard.net, has the following attributes:
Automatically embeds name of covered entity or business associate in each policy and procedure for each implementation specification of HIPAA Privacy Administrative Requirements and HIPAA Security Rules, and the HITECH Act Breach Notification Rule.
Electronic, which facilitates instant download upon fulfillment, and timely updates related to regulatory changes and issuance of new guidance.
Provides URL links to National Institute of Standards and Technology (NIST) and Department of Health and Human Services (HHS) Office for Civil Rights (OCR) safeguard guidance, OCR compliance audit protocols, and NIST and HHS references.
OCR compliance audit protocols are tied to each implementation specification, and, for each, indicates what an auditor will “inquire of management” with respect to compliance with a particular implementation specification, and “verify” or “obtain” documentation to demonstrate compliance.
Written in plain, common sense, understandable language, HIPAA Safeguard includes over 800 guideposts for conducting a self-assessment risk analysis, implementing safeguard policies and procedures, and conducting workforce training.
HIPAA Safeguard has been legally vetted to ensure consistency with standards and implementation specifications, and is in use by attorneys and business consultants to help their clients achieve compliance.
Comprehensive portable data format (pdf) database of 114 coded categories of searchable standards and implementation specification of HIPAA Privacy Administrative Requirements, HIPAA Security Rules, and the HITECH Act Breach Notification Rule, and a crosswalk from Stage 1 and Stage 2 Meaningful Use Security Measure criteria to their HIPAA Security Rule implementation specification counterparts.
Content of database readily accessible via convenient table of contents, and can be readily tailored to fit unique attributes of a covered entity or business associate’s business operations for achieving HIPAA and HITECH Act compliance.
In August 2014, HIPAA Safeguard content increased to include important forms for demonstrating compliance with HIPAA Security Rule Administrative, Physical, and Technical safeguard implementation specifications.
After fulfillment, secure accessibility on IOS and Android smartphones and tablets via readable App.
After the initial purchase of the affordable HIPAA Safeguard product, we offer a substantially reduced optional annual fee for any regulatory updates.
3. We are a small non-profit. What tools do you recommend to conduct a risk assessment? Do you have templates for a policy as well?
Answer: HIPAA Safeguard and our book, HIPAA Plain & Simple: After the Final Rule (3rd edition), are organized in checklist fashion. HIPAA Safeguard provides online links to guidance, OCR protocols, and National Institute of Standards and Technology (NIST) and HHS references, whereas HIPAA Plain & Simple is a hard copy book with URL references to the same that the user would have to write to access. The second advantage, particularly for a small organization, is that all electronic policies and procedures are immediately available for download at purchase, with the organization’s designated name embedded in each. Once tailored for the organization’s unique business operations, as applicable and if necessary, the policies and procedures are ready for implementation to demonstrate compliance. We help you expedite this process because we have converted hundreds of NIST questions relating to implementation into plain language that will be understandable to both lay and IT personnel. A focused small organization can achieve compliance relatively quickly, whereas a complex organization such as a large clinic or hospital, health plan, or large business associate may require a substantial period of time.
Ed Jones is an author, and owner and CEO of Cornichon Healthcare Select, LLC, which provides consulting services pertaining to HIPAA/HITECH Act privacy and security compliance, and design of mobile strategies for healthcare transactions. At Cornichon’s Website, at www.HIPAASafeguard.net, Ed offers online privacy and security safeguard guidance and reference tools and policies and procedures for achieving compliance with HIPAA Privacy, Security, and Breach Notification Final Rule and Stage 1 and 2 Meaningful Use Security Measure compliance.