26 Sep HIPAA Risk Assessment Checklist for Eye Care Professionals
HIPAA compliance and risk assessments are challenging for many optometry and ophthalmology practices. There is one compliance task you can’t do once and then sweep under the rug—and that’s to perform a HIPAA security risk assessment or risk analysis regularly for your business.
Failing to perform a thorough risk assessment continues to be one of the most common HIPAA violations. Cybersecurity attacks occur more frequently today and continue to threaten the healthcare industry.
According to the Office of the National Coordinator for Health Information Technology (ONC), many healthcare providers are misinformed that merely installing a certified EHR, fulfills promoting interoperability and meaningful use of security risk analysis requirements. That’s not true, says the ONC: “Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information (ePHI) you maintain, not just what is in your EHR.”
If you bury your head in the sand and don’t conduct regular HIPAA risk assessments, not only can it lead to a data breach, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) could impose hefty fines, anywhere from $100-$50,000 per violation or per violated patient record.
What is the HIPAA Security Rule and Why Must You Comply?
The HIPAA Security Rule defines technical and non-technical safeguards that require health plans, health plan clearinghouses, and any healthcare provider to implement essential security safeguards to protect both printed and electronic Protected Health Information (ePHI).
PHI is any patient’s medical record information that identifies the patient. The Security Rule encompasses computer systems and electronic transmissions of patient information created, received, maintained, or transmitted by the covered entity (healthcare provider) or business associate (EHR vendor).
HIPAA requires all healthcare providers to conduct ongoing HIPAA security risk assessments to ensure their office is compliant with administrative, physical, and technical safeguards. These safeguards (as described below per HHS) protect PHI’s confidentiality, integrity, and availability.
- Administrative Safeguards: “Manages the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
- Physical Safeguards: “Physical measures, policies, and procedures to protect electronic information systems and related buildings from natural and environmental hazards, and unauthorized intrusion.”
- Technical Safeguards: “The technology and the policy and procedures for its use that protect ePHI and control access to it.” HHS defines this as the Minimum Necessary Requirement, which means only those people who need access to the patient information to perform a specific job function should have access to ePHI.
Our HIPAA Compliance Guide for Eye Care Professionals reviews several steps you must take to protect PHI’s privacy and electronic security.
The Time for a HIPAA Security Risk Assessment is Now
Download the free ONC and HHS Security Risk Assessment (SRA) Tool and view SRA videos. These tools will help guide small- to medium-sized practices in conducting a security risk assessment. Use the assessment results report to help determine risks associated with your policies, procedures, information systems, and methods to alleviate weaknesses.
Choose an EHR That Maintains HIPAA Compliance
Is your eye care EHR certified for data encryption? Does your EHR software include built-in functionality that adheres to HIPAA requirements for user access controls, privacy, and security? If unsure, it’s time to evaluate your EHR system and perform a HIPAA security risk assessment to safeguard your practice from potential security threats.
MaximEyes EHR is ONC 2015 Edition Health IT certified for quality reporting and Promoting Interoperability (PI) Programs. We adhere to IHE (Integrating the Healthcare Enterprise) HL7 standards and functionalities that improve the interoperability of healthcare information systems.
It’s time for you to feel more confident about an EHR and practice management system that keeps up with HIPAA compliance. Request a demo of MaximEyes today.
This blog is an educational resource and does NOT constitute legal HIPAA advice. Covered entities (eye care providers) are responsible for taking the necessary steps to protect the confidentiality, integrity, and availability of protected health information (PHI) and comply with the HIPAA security and privacy rules.