There's good news and there's bad news about the HIPAA security rule. The bad news is that it's long and vague. The good news is that you're probably already closer to compliance than you think. Much of what shows up in the Health Insurance Portability and Accountability Act's security rule dovetails nicely with the privacy rule, experts agree. Another bit of good news is that physicians and other providers have two years to come into compliance with the security regs. However, "even though you have a two-year timeline, don't wait two years" to start preparing, urges St. Paul, MN-based attorney Gordon Apple. Here are some steps you can take now to get the ball rolling: Security officer. Go ahead and assign a "security officer" for your practice, Apple advises. In most small physician practices, the privacy officer and the security officer should be the same person, according to Bret Bissey, chief compliance officer and privacy officer at Deborah Heart and Lung Center in Brown Mills, NJ. Risk assessment. Another high-priority activity for physician practices is to conduct a risk assessment, Apple counsels. Not only will this assessment help you develop a road map for the next two years, but conducting it now will allow you plenty of time to work implementing security measures into your budget for next year, he points out. Privacy follow-up. This action item will kill two birds with one stone, notes attorney Rob Wanerman with Reed Smith in Washington. Shortly after April 14, you should "do a first-round privacy follow-up review" to see how your practice is doing with HIPAA privacy rule compliance. At the same time, you can touch the security bases, Wanerman suggests. Pick the low fruit. Knock out early on any security requirements that will be particularly easy for your practice to comply with, Apple counsels. That way, you'll be off to a relatively painless start.
Look at who has access to patient information, and think about the level of access people need, Wanerman instructs.