When was your last HIPAA risk analysis? The U.S. Department of Health and Human Services (HHS) has updated the Security Risk Assessment (SRA) tool, which is designed to help health care providers in small to medium sized practices conduct information security risk analyses of their organizations, as required under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. New features of the tool include Windows 10 compatibility and improved reporting features. The tool, available at www.HealthIT.gov, is the result of a collaborative effort by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR). It is designed to help practices conduct and document an assessment of potential security risks in a thorough, organized fashion. The tool also produces a report that can be used in case of a HIPAA audit or investigation. HIPAA requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information. By conducting the risk analysis, health care providers can uncover potential weaknesses in their security policies, processes and systems. It also address vulnerabilities, potentially preventing health data breaches or other adverse security events. Conducting a security risk analysis is a key requirement of the HIPAA Security Rule and a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program, commonly known as the Meaningful Use Program. Despite the name, it is important to note that this tool is a risk analysis tool, rather than a tool to assist physicians in conducting a "risk assessment" in order to determine whether certain breach notification requirements have been triggered following a breach of security. It is important to note that this tool is provided for informational purposes only and does not guarantee compliance with federal, state, or local laws. The tool is available for both Windows operating systems and iPad. Download the Windows version here. The iPad version is available from the iTunes App Store (search “HHS SRA tool”). For more information on the risk analysis requirements under HIPAA, see CMA On-Call document #4102, "HIPAA Security Rule." On-Call documents are available free to members in CMA's online health law library at www.cmanet.org/cma-on-call. Nonmembers can purchase documents for $2/page. CMA is also hosting a live webinar, "Is Your Practice at Risk for a HIPAA Security Breach?" on November 2, 2016. In this webinar, CMA’s HIPAA advisor, David Ginsberg, will discuss common threats and breaches, how to safeguard and strengthen your systems, and what to do if you have a breach. Contact: CMA legal information line, (800) 786-4262 or legalinfo@cmanet.org. October 13, 2016 General Protected Health Information, HIPAA Security Rule 0 0 Comment Read More »
Are you using Windows XP? You may need to upgrade Physician offices using Windows XP should be aware that Microsoft will no longer be providing support for Windows XP after April 8, 2014. This means that updates, bug fixes, security patches and troubleshooting will not be available for systems operating Windows XP, making such systems vulnerable to security risks. While the California Medical Association (CMA) has received concerns from physicians who are being told that they will be in "automatic violation of the Health Information Portability and Accountability Act (HIPAA)" for using Windows XP after April 8, the HIPAA security rule does not specifically mandate any minimum operating system requirements. Physician offices using Windows XP however, should be aware that continuing to use an unsupported operating system without the proper maintenance in place to protect electronic patient health information (PHI) increases their risk of security breaches. The HIPAA security rule requires a security management process, which means the development and implementation of policies and procedures to prevent, detect and correct potential risks and vulnerabilities to electronic PHI. An unsupported operating system should be identified as a risk and physician practices using Windows XP should conduct a risk assessment to determine the appropriate measures to reduce any risks to electronic PHI, including upgrading to a more current, supported operating system. For more information, see CMA On-Call document #4102, "HIPAA Security Rule." On-Call documents are available free to members in CMA's online health law library at www.cmanet.org/cma-on-call. Nonmembers can purchase On-Call documents for $2 per page. Contact: CMA Center for Legal Affairs, (800) 786-4262 or legalinfo@cmanet.org. April 4, 2014 General HIPAA Security Rule, Health Information Technology, HIPAA 0 0 Comment Read More »
