All Data Fast News is © Data Fast Solutions, unless where otherwise indicated • All Rights Reserved

Data Fast News

rss

Keep up to date with Data Fast Solutions for your business.


Appointing a HIPAA Privacy and Security Officer

HIPAA Password Security and ManagementIn a previous article, Small Healthcare Providers and HIPAA Compliance, it was noted that many small to mid-sized healthcare offices are less likely to appoint a HIPAA Privacy Officer and a HIPAA Security Officer. Part of the challenge is that privacy and security officers are hard to find across many sectors. The healthcare industry, requiring candidates with in-depth knowledge of HIPAA and HITECH, can make filling the position even more difficult. However, as HIPAA rules and technology continue to evolve, this is one area where adhering to the HIPAA mandate can keep smaller offices from experiencing a privacy breach.

Understanding the responsibilities of each officer can help smaller organizations find existing or new employees who may fit the requirements with little or no additional training.

Responsibilities of a HIPAA Privacy Officer

According to the American Health Information Management Association (AHIMA), a privacy officer’s responsibilities include:

  • Builds a strategic and comprehensive privacy program that defines, develops, maintains and implements policies and processes that enable consistent, effective privacy practices which minimize risk and ensure the confidentiality of protected health information (PHI), paper and/or electronic, across all media types. Ensures privacy forms, policies, standards, and procedures are up-to-date.
  • Works with organization senior management, security, and corporate compliance officer to establish governance for the privacy program.
  • Serves in a leadership role for privacy compliance
  • Collaborate with the information security officer to ensure alignment between security and privacy compliance programs including policies, practices, investigations, and acts as a liaison to the information systems department.
  • Establishes, with the information security officer, an ongoing process to track, investigate and report inappropriate access and disclosure of protected health information. Monitor patterns of inappropriate access and/or disclosure of protected health information.
  • Performs or oversees initial and periodic information privacy risk assessment/analysis, mitigation and remediation.
  • Conducts related ongoing compliance monitoring activities in coordination with the organization's other compliance and operational assessment functions.
  • Takes a lead role, to ensure the organization has and maintains appropriate privacy and confidentiality consents, authorization forms and information notices and materials reflecting current organization and legal practices and requirements.
  • Oversees, develops and delivers initial and ongoing privacy training to the workforce.
  • Participates in the development, implementation, and ongoing compliance monitoring of all business associates and business associate agreements, to ensure all privacy concerns, requirements, and responsibilities are addressed.
  • Works cooperatively with the Health Information Management (HIM) Director and other applicable organization units in overseeing patient rights to inspect, amend, and restrict access to protected health information when appropriate.
  • Manages all required breach determination and notification processes under HIPAA and applicable State breach rules and requirements.
  • Establishes and administers a process for investigating and acting on privacy and security complaints
  • Performs required breach risk assessment, documentation, and mitigation. Works with Human Resources to ensure consistent application of sanctions for privacy violations
  • Initiates, facilitates and promotes activities to foster information privacy awareness within the organization and related entities.
  • Maintains current knowledge of applicable federal and state privacy laws and accreditation standards.
  • Works with organization administration, legal counsel, and other related parties to represent the organization's information privacy interests with external parties (state or local government bodies) who undertake to adopt or amend privacy legislation, regulation, or standard.
  • Cooperates with the U.S. Department of Health and Human Service's Office for Civil Rights, State regulators and/or other legal entities in any compliance reviews or investigations.
  • Serves as information privacy resource to the organization regarding release of information and to all departments for all privacy related issues.
Responsibilities of a HIPAA Security Officer

AHIMA describes the responsibility of a HIPAA Security Officer as one who:

  • Builds a strategic and comprehensive information security program that defines, develops, maintains and implements policies and processes that enable consistent, effective information security practices which minimize risk and ensure the integrity, confidentiality and availability of information that is owned, controlled and processed within the organization. Ensures information security policies, standards, and procedures are up-to-date.
  • Initiates, facilitates, and promotes activities to foster information security awareness within the organization.
  • Creates a culture of cyber security both with the IT organization and driving behavioral changes for the business.
  • Evaluates security trends, evolving threats, risks and vulnerabilities and applies tools to mitigate risk as necessary.
  • Manages security incidents and events involving electronic protected health information (ePHI)
  • Ensure that the disaster recovery, business continuity, risk management and access controls needs of the facility are addressed.
  • Ensures the institution/organization complies with the administrative, technical and physical safeguards.
  • Collaborates with organization senior management, Privacy Officer, and Corporate Compliance officer to establish governance for the security program.
  • Serves in a leadership role for security compliance.
  • Works closely with the Privacy Officer to ensure alignment between security and privacy compliance programs including policies, practices and investigations, and acts as a liaison to the information systems and compliance departments.
  • Is responsible for initial and periodic information security risk assessment/analysis, mitigation and remediation. Responsible for development and implementation of security risk management plan.
  • Ensure organization has audit controls to monitor activity on electronic systems that contain or use electronic protected health information.
  • Oversee periodic monitoring and reviewing of audit records to ensure that activity is appropriate. Such activity would include, but is not limited to, logons and logoffs, file accesses, updates, edits and printing.
  • Ensure the organization has and maintains appropriate system use and disclosure / confidentiality statement.
  • Oversees, develops and/or delivers initial and ongoing security training to the workforce. Initiates, facilitates and promotes activities to foster information security awareness within the organization and related entities
  • Participates in the development, implementation, and ongoing compliance monitoring of all BA's and business associate agreements, to ensure -security concerns, requirements, and responsibilities are addressed.
  • Assists Privacy Officer as needed with breach determination and notification processes under HIPAA and applicable State breach rules and requirements.
  • Establishes and administers a process for investigating and acting on security incidents which may result in a privacy breach breaches.
  • Partners with Human Resources and Privacy Officer to ensure consistent sanctions for security violations
  • Maintains current knowledge of applicable federal and state security laws, licensing and certification requirements and accreditation standards.
  • Cooperates with the U.S. Department of Health and Human Service's Office for Civil Rights, State regulators and/or other legal entities, and organization on officers in any compliance reviews or investigations.
  • Serves as information security consultant to all departments for all data security related issues.

HIPAA Password Security and ManagementIt’s important to note that if one individual meets the requirements of both officers it is acceptable for one person to perform both roles. However, many smaller offices tend to appoint an existing office or billing manager to the privacy and security position. In doing that, one or more privacy and security duties may not be performed adequately. So, it is okay for some work to be delegated to others if the privacy and security officer makes sure that the work is carried out properly.

For assistance from an I. T. security standpoint, a HIPAA knowledgeable I.T. professional can help. Data Fast Solutions has been providing HIPAA I.T. services in the Dallas Fort Worth area for many years. If you have any questions about your information technology and HIPAA compliance, contact Data Fast Solutions today!

This article is ©2017 Data Fast Solutions • All Rights Reserved


The Importance of Utilizing a HIPAA/HITECH Certified Professional

HIPAA Cyber SecurityHealthcare professionals are now well-versed in HIPAA policies and procedures and are well aware of the importance of HIPAA and the ramifications for non-compliance. However, some healthcare workers may not be as familiar with the HITECH Act. Per HHS.gov, “the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.”


HITECH was put in place to meet certain goals of the existing regulatory aspects of HIPAA which included improving quality of care through reduced costs and efficiency. Patient personal health information (PHI) in electronic health records (EHI) is of utmost importance in meeting HIPAA guidelines. Having a good information technology company who is well trained and certified in HIPAA/HITECH analysis and assessment can save your health care organization valuable time and money.

A thorough HIPAA/HITECH analysis should include a review of your PHI/ePHI policies and procedures as well as an examination of your network layout and infrastructure. The analysis can identify whether encrypted or unencrypted PHI is being used in portable devices such as laptops, phones, or thumb drives to lessen the risk of cyber attacks. Other areas of the analysis should include a review of the way fax machines are used, if any, and their potential for leaving PHI vulnerable. Rather than using a fax machine, a knowledgeable I.T. company can give you more convenient, secure, modes of transmitting PHI to lessen your organization’s risk of exposing sensitive information. In addition, the use of email and possibility for breaches in unsecured webmail systems, such as those used outside the office to send and receive email from home, should be reviewed. And, finally, an analysis of an area that is surprisingly often  overlooked is the way in which PHI is stored, purged or destroyed.

Computer BreachesIf breaches are found in an analysis, a HIPAA/HITECH assessment can determine the severity of the breach and an I.T. professional can take the steps necessary to secure your network as quickly as possible. As with the analysis, an assessment should be done by HIPAA/HITECH certified trained and knowledgeable I.T. expert to avoid costly mistakes.

In April, 2014, the FBI issued a warning to health care organizations that the highest volume of cyber threats are in the healthcare industry. “Data analysis revealed multiple devices (e.g., radiology imaging software, digital video systems, faxes, printers) and security application systems (e.g., Virtual Private Networks (VPN), firewalls, and routers) were compromised.” Which is why a HIPAA/HITECH analysis and assessment is vitally important.

Also, the FBI reports that according to a Ponemon Institute report dated March 2013, “63% of the health care organizations surveyed reported a data breach in the past two years with an average monetary loss of $2.4 million per data breach. The majority of each data breach resulted in the theft of information assets. Lastly, 45% reported that their organizations have not implemented security measures to protect patient information.”

Patient information can be much more sensitive than data in in other industries making it more appealing for cyber attacks. Yet, according to the FBI “the healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”

Treating information technology in your healthcare practice as importantly as you do your patients, by relying on HIPAA/HITECH trained and certified professionals, will ensure your organization is not part of the FBI statistics.

This article is ©2016 Data Fast Solutions • All Rights Reserved