Home Health & Hospice Week

Who’s your security officer?

If the flip phone was the mainstay the last time you drafted an agency compliance plan, it might be time to revise those outdated policies.

Why this matters: “Covered entities and business associates must insulate their businesses with a comprehensive compliance plan and risk analysis addressing and mitigating any applicable privacy and security risks,” says attorney John E. Morrone, a partner at Frier Levitt Attorneys at Law in Pine Brook, N.J. “Through recent settlements, [the HHS Office for Civil Rights] has demonstrated its propensity to impose significant fines on entities that fail to implement appropriate safeguards, independent of the number of affected individuals or the content of the protected health information included in a particular breach.”

Ensure your HIPAA protocols are in sync with current standards to avoid both agency and fiscal consequences. Peruse the following checklist and guarantee that you’ve got these bases covered:

• Designate someone as your agency security officer and define the duties.
• Perform a risk analysis of your organization and identify your information assets and vulnerabilities.
• Create a security training program for your staff that includes both a general HIPAA overview and position specifics related to each staffer’s responsibility.
• Implement business associate agreements with partners and vendors to ensure they are meeting your compliance standards and protecting PHI.
• Identify your most critical applications and the information that is essential to your agency.
• Draft a disaster recovery plan that protects your EHRs should catastrophe strike.
• Implement first- and multi-factor authentication controls to prevent unauthorized access to your systems.
• Audit your systems, looking at access trends by both authorized and unauthorized users.
• Test your agency media and devices often for viruses, ensuring your software controls are updated and in compliance with current HIPAA standards.
• Keep your facility and tools safe with a physical security system.
• Analyze systems periodically for effectiveness of their security features.
• Put texting protocols into place that include encryption and a secure sign-in process for texting medical information.
• Devise a thorough breach response policy that includes guidance on notification and expediency.

Reminder: If these compliance safeguards aren’t part of your current plan, it’s a good time to revisit your HIPAA policies and train your staff accordingly.