If your practice is attesting for meaningful use (MU), there is a good chance you could be audited. Unfortunately, many practices over look core item 15, which requires a HIPAA risk assessment and remediation. In addition, CMS expects you to develop a plan and improve your security and compliance over the course of the HITECH program. Although managing security can be a hassle, here are a few tips to get you started.
Start with a risk assessment. MU Stage one and the HIPAA security rule both require risk assessments. Instead of implementing technologies haphazardly, a risk assessment will give you a prioritized punch list. Follow the plan, and focus on the high-risk items first. Whether you hire a consultant, or use a software-based assessment, be sure it uses the NIST 800-30 standards. You do not want to waste time with a sub-par assessment.
Second, implement a disaster recovery plan complete with local and off-site backups. Chances are this will be one of the high-risk items on your risk assessment. As such, it should receive your undivided attention. Compliance is important, but preserving your data is critical. Backing up your data locally and off-site will prevent data loss, which could shut down your practice and put you at risk of HIPAA prosecution.
Third, create password management policies. Most practices do not manage passwords effectively. Computers may not even require passwords, and when they do, chances are the passwords are very simple, have never been changed, or are even written down on a near by sticky note. Create a sensible policy addressing password length, complexity, and rotation. Make sure employees do not share passwords or write them down.
Next, check the status of antivirus and software updates for all computers. Malicious software not only harms your computer, but it can result in a data breach as well. Make sure every computer has antivirus software that updates daily. Windows security updates also play an important role, so be sure you download and install them as soon as possible.
HIPAA and security compliance is a complex process that addresses many other areas. Our consultants at XLEMR have years of experience conducting risk assessments and implementing security policies and controls. If you would like more information about how we can help you on the road to compliance, please contact us at firstname.lastname@example.org.