The federal government has revised its Guide to Privacy and Security of Electronic Health Information to deliver practical information for small and medium-size practices that deal with electronic health information.
The guide gives steps and tips for better incorporating federal health information privacy and security requirements into your organization.
The core of the guide, published by the Office of the National Coordinator for Health Information Technology, is a fleshed-out, seven-step approach for implementing a security management process in your practice.
Step 1: Lead your culture, select your team, and learn.
- Designate a security officer(s).
- Discuss HIPAA Security Rule requirements with your electronic health record (EHR) developer.
- Consider using a qualified professional to assist with your security risk analysis.
- Use tools to preview your security risk analysis.
- Refresh your knowledge base of the HIPAA rules.
- Promote a culture of protecting patient privacy and securing patient information.
Step 2: Document your process, findings, and actions.
Step 3: Review existing security of electronic protected health information (perform a security risk analysis).
Step 4: Develop an action plan.
Step 5: Manage and mitigate risks.
- Implement your action plan (which includes using applicable EHR security settings and updating your HIPAA-related policies and procedures).
- Prevent breaches by educating and training your workforce.
- Communicate with patients.
- Update your business associate contracts.
Step 6: Attest for meaningful use security-related objective.
Step 7: Monitor, audit, and update security on an ongoing basis.
Let's look at Step 2. The HIPAA Security Rule requires this documentation. It provides not only risk protection in case you are under scrutiny as a result of a data breach or audit but also serves as a reference guide in your ongoing security program.
What records do you need? The working pieces of your documentation are a master file of findings from your security risk analysis, with your resulting decisions and actions including implementation dates and notes, and your policies and procedures manual. Additional records to keep are, among others, completed security checklists, training materials presented to staff and records of training completion, updated business associate agreements, and EHR audit logs that show use of security features and monitorin
TMA provides resources to help practices become HIPAA security-compliant, including articles, consulting, continuing medical education, and a customizable policies and procedures manual.
Published April 29, 2015
TMA Practice E-Tips main page