Conducting a Security Risk Analysis
Many practices think that just installing a certified EHR or conducting a one-time training will cover everything for privacy and security. While EHR vendors can provide training on the privacy aspects of their products, it is up to the practice to ensure that they take steps to ensure privacy and document the process. Supporting documentation for attestation was suggested by CMS to be retained for a minimum of six years.
Internal security risk audits must be completed by the end of the current reporting year, but it is not too early to start for the next year. Practices need to understand that it is not just putting a HIPAA policy in place – it is addressing questions that may come up about security.
• What if an administrator’s laptop is stolen out of a car? Is the laptop password protected? Or is the data encrypted? How do you notify patients?
• If your server goes down, what do you have in place for back-up? And is that back-up protected?
• When your reception area is checking in patients, can the patient read the screen? With computers in the exam rooms, does your staff log off before leaving the room or is there an automatic log-off?
Security risk compliance and HIPAA enforcement are some of the most audited subjects conducted by CMS. After receiving an audit letter, practices have little time to respond (often just 10 days to send documentation) and if not answered completely and successfully, providers can lose thousands of dollars in previous reimbursements.
If your practice needs to ensure you are answering all the possible questions, and documenting the process, the Quality Reporting Engagement Group at IntrinsiQ Specialty Solutions has a checklist and template available for accuracy and completeness as part of their standard consulting services. If you are interested in learning more about this, email us at firstname.lastname@example.org or call 877-570-8721 x2.