April 18, 2017
The lack of skills and software tools contributed to the inability of organizations to adequately address cybersecurity risks.
For a full view of the Federal Regulations on Health IT. Gov, click here
OCR Issues Second Largest HIPAA Fine to Date – $5.5 Million
read about it HERE
It wont happen to me, right?
Peachtree Orthopedics thought the same thing...
As with any new program or regulation, there may be misinformation making the rounds. The following is a top 10 list distinguishing fact from fiction.
1. The security risk analysis is optional for small providers.
2. Simply installing a certified EHR fulfills the security risk analysis MU requirement.
3. My EHR vendor took care of everything I need to do about privacy and security.
4. I have to outsource the security risk analysis.
5. A checklist will suffice for the risk analysis requirement.
6. There is a specific risk analysis method that I must follow.
7. My security risk analysis only needs to look at my EHR.
8. I only need to do a risk analysis once.
9. Before I attest for an EHR incentive program, I must fully mitigate all risks.
10. Each year, I’ll have to completely redo my security risk analysis.
REQUIRED vs. ADDRESSABLE SPECIFICATIONS:
In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: (a) implement the addressable implementation specifications (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either an addressable implementation specification or an alternative. The covered entity’s choice must be documented. The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative. This decision will depend on a variety of factors, such as, among others, the entity's risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions that a covered entity makes regarding addressable specifications must be documented. Users must document how the organization will implement addressable specifications.
For more information: http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html
Concerned about mobile devices? You probably should be.... Watch this video put out by CMS
Under the Health Information Portability and Accountability Act (HIPAA) and the American Recovery and Reinvestment Act (ARRA), physicians are required to control the ways in which they use and disclose patients' protected health information.
The U.S. Department of Health and Human Services' (HHS) Office of Civil Rights (OCR) oversees compliance with the HIPAA privacy requirements. As a result of the ARRA, several new regulations will be published implementing the law. In January 2013, the OCR published an omnibus final rule that covers:
The compliance date for the final omnibus rule is effective September 23, 2013.
Breach, BREACH BREACH BREACH BREACH
To report a security incident of 1 patient life or more, visit HHS.gov, and click here
Your audit is coming........Are you ready?
The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review. For more information on required protocols and what to expect in a Security Risk Analysis Audit, go to this link.