HiPAA Risk Assessment
As you are probably aware, the government has begun the first round of HIPAA compliance audits - these audits have included physician practices. So the million dollar question is: Is your medical practice really in HIPAA compliance? I find most are not even though they think they are.
Ask These Questions
A good first step to HIPAA compliance is to conduct an internal HIPAA risk assessment. At a minimum, a risk assessment must include these questions:
- What types of protected health information (PHI) do we possess, receive, store or transmit?
- How sensitive is this data in what it reveals about patient medical conditions, procedures, diagnoses and prescriptions?
- Data about sexually transmitted diseases, sexual health, pregnancies and mental health are considered especially sensitive.
- How valuable or desirable might this data be to criminals? Inclusion of social security numbers, mother's maiden names, home addresses, payment details and long-term medical history are considered sensitive because they can be used by criminals to commit financial and healthcare fraud.
- What steps and procedures are in place in our medical practice right now to protect the PHI we possess, receive, store or transmit?
- Finally, what additional steps, procedures, or technologies are necessary to bring our data protections into line with generally accepted information-technology standards or with National Institute of Standards & Technology (NIST)?
Have questions? I’m here to help.
