Monday, November 7, 2011

I don't need no stinking risk assessment. (HIPAA, HITECH & YOUR TECH Part 3)

In our previous blog about HIPAA & HITECH compliance we walked through a simple outline of steps towards meeting HIPAA / HITECH compliance, all of which are based on a walk-though of the HIPAA administrative simplifications.

Quick recap - step 1 is to familiarize yourself with the law and get a team together that can help you be compliant.   HERE's  a great document from HHS on how to do the risk assessment.

STEP #2 - The next step is  do a risk assessment.

"THIS IS STUPID.  WHY?" you ask.   "I know my risks.  I don't need you to tell me what my risks are."

Well, forget the fact that the HHS expects you to do it.  How about looking at this from a PURELY BUSINESS PERSPECTIVE.

What would you do if one of your employees accidentally lost a box of your patient charts?

What would you do if a major hurricane was coming?

What about if your practice was hit by a tornado?   Could you EVER recover your business data?  Collections reports?  Patient charts?

The shocking thing for me, as a consultant, is how QUICKLY we forget things like the Joplin tornadoes , and hurricanes Gustav and Katrina.

to give me your patients' data,
and all your money.   

But as a business owner or manager (and that's what you are, even though your business is healthcare..), here's the biggest threat you've got: UNCLE SAM.

SO, if you adhere to HIPAA / HITECH regulations, obamacare, or whatever you want to call it, great.  You're already looking for compliance solutions & doing your homework.

BUT IF YOU DON'T believe that HIPAA & HITECH are real threats to you, then forget about the risk assessment as a HIPAA mandate, but DON'T OVERLOOK IT AS A SOUND BUSINESS PRACTICE.

So, if you're interested, here's what your Risk Assessment should look like:

1. It should be periodic.   The world changes, your business changes, and risk factors change.  Your assessment from 2005 is outdated, refresh it or start a new one.

2. You should be involved in it.  If you pay a consultant to do it 100%, it won't reflect your organization accurately.

3. Your assessment should be thorough.   HIPAA law (164.308(a)(1)(ii)(A) states that you should assess the vulnerabilities to the
         A. Confidentiality
         B. Integrity, and
         C. Availability of electronic protected health information (ePHI) held by the covered entity.


Our recommendation is to use a company called eGestalt.

1. For most practices, their solution costs at or under about $100 / month.
2. It's a secure offsite repository for your compliance plan.
3. It's built and maintained by a team of people who do nothing but obsess over security compliance, so they're keeping it up-to-date.
4. Simple reporting - with a few clicks, you can see in color and in pictures EXACTLY how compliant you are.
5. Comprehensive reporting - with a few clicks, you can pull an extensive report on your compliance status, complete with your supporting policies & documents, to provide an auditor.
6. It's HIPAA / HITECH simplified - all throughout the process of their assessments, you're provided both detailed links to the actual law, and also great explanations & templates for how to meet the legal requirements.

Are there options out there?

You bet.

But this one is a cheap, simple and comprehensive way for you to meet this incredibly important part of HIPAA & HITECH.   And it's proven, reliable, and industry-accepted as a strong solution.

So, when you're ready, CALL US at  225-751-4444 or visit us online at www.TKSHEALTH.COM to learn more or to get started on your audit.

No comments:

Post a Comment