What should you expect from your HIPAA Security Official?

HIPAA’s Security Rule requires covered entities to designate one person to be responsible for the development and implementation of policies and procedures that safeguard electronic protected health information. Nearly all organizations implemented measures to manage privacy in oral, written, and electronic media. However, as healthcare organizations and their business associates, inspired by the HITECH Act (stimulus package) respond to forthcoming financial incentives to adopt electronic health record (EHR) software, the need to beef up your security measures. So what should you look for in your Security Official? For starters, you need someone who understands clinical and billing workflows, recognizes that in the past some clinicians have communicated with patients via unsecure email such as AOL, Yahoo!, and Comcast, and also is skilled at shouldering broad responsibility while delegating assignments. Here, we’ve updated the a Get-Started plan originally published in HIPAA Plain & Simple (AMA), to include the following criteria.

What to Do

Conduct a risk assessment to determine the practice’s security safeguards and vulnerabilities.

How to Do It

As you go through your risk assessment, assign a value from 1 to 5 for each risk/ Risks receiving a “1” value indicate the risk is probably low, but still needs attention; a risk given a “5” rating means the event, such as theft, breaking into the offices, fire, weather damage, has happened at least once, and is likely to happen again.

For those risks given a 3 or 4 rating, assign an owner or owners to manage those risks. For example, you’ve decided to purchase EHR software, and you’ll be purchasing new tablets for all the clinicians. Without even accessing a risk assessment, you can already build a list of potential problem areas, such as theft, malicious software, or damage from dropping. HIPAA’s physical safeguard standard, (45 CFR 164.310{b}) requires that you implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation that can access electronic protected health information.

You not only want to safeguard protected health information, you also want to safeguard your investment. The owners of this physical safeguard could be a lead physician, a nurse, and a lab technician.

If you are the Security Official and have any concerns about your responsibilities, or if you’d like a copy of our risk assessment, give us a call or send us an email. We’re here to help.

Leave a Reply

Your email address will not be published. Required fields are marked *