The HIPAA Risk Assessment Checklist for Eye Care Professionals
HIPAA compliance and HIPAA risk assessments are challenging tasks for many optometry and ophthalmology practices. There is one compliance task you can’t do once then sweep under the rug—and that’s to perform a HIPAA security risk assessment or risk analysis regularly for your business.
Failing to perform a thorough risk assessment continues to be one of the most common HIPAA violations. If you bury your head in the sand and don’t conduct regular HIPAA risk assessments, not only can it lead to a data breach, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) could impose hefty fines, anywhere from $100-$50,000 per violation or per violated patient record.
Cybersecurity attacks occur more frequently today. The KPMG 2017 Cyber Healthcare and Life Sciences Survey reports that “47 percent of healthcare providers and health plans said they had instances of security-related HIPAA violations or cybersecurity attacks that compromised data compared with 37 percent in KPMG’s 2015 survey.”
According to the Office of the National Coordinator for Health Information Technology (ONC), many healthcare providers are misinformed that by merely installing a certified EHR, this fulfills promoting interoperability and meaningful use security risk analysis requirements.
That’s not true, says the ONC: “Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information (ePHI) you maintain, not just what is in your EHR.”
What is the HIPAA Security Rule and Why Must You Comply?
The HIPAA Security Rule defines technical and non-technical safeguards that require health plans, health plan clearinghouses, and any healthcare provider to implement essential security safeguards to protect both printed and electronic Protected Health Information (ePHI).
PHI is any information in the patient’s medical record that identifies the patient. The Security Rule encompasses computer systems and electronic transmissions of patient information that is created, received, maintained, or transmitted by the covered entity (healthcare provider) or business associate (EHR vendor).
HIPAA requires all healthcare providers to conduct ongoing HIPAA security risk assessments to ensure their office is compliant with administrative, physical, and technical safeguards. These safeguards (as described below per HHS) protect the confidentiality, integrity, and availability of PHI.
- Administrative Safeguards: “Manages the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
- Physical Safeguards: “Physical measures, policies, and procedures to protect electronic information systems and related buildings from natural and environmental hazards, and unauthorized intrusion.”
- Technical Safeguards: “The technology and the policy and procedures for its use that protect ePHI and control access to it.” HHS defines this as the Minimum Necessary Requirement, which means only those people who need access to the patient information to perform a specific job function should have access to ePHI.
The Time for a HIPAA Security Risk Assessment is Now
To jumpstart your HIPAA security risk assessment, First Insight has put together two Risk Assessment Checklists (cloud and traditional server versions). These checklists will help you conduct a security audit as it relates to your optometry and ophthalmology EHR for promoting interoperability and the Merit-Based Incentive Payment System (MIPS).
The questions included in these checklists are from the HealthIT.gov Reassessing Your Security Practices in a Health IT Environment. The checklists are only a reference and starting point to help small- to medium-sized practices assess their health information technology (health IT) by conducting a security audit as it relates to an EHR.
- Download EHR Security Risk Assessment Checklist (Cloud)
- Download EHR Security Risk Assessment Checklist (Traditional Server)
Pro Tip: Download the free ONC and HHS Security Risk Assessment (SRA) Tool and view SRA videos. These tools will help guide small- to medium-sized practices with conducting a security risk assessment. Use the SRA assessment results report to help determine risks associated with your policies, procedures, information systems, and methods to alleviate weaknesses.
Choose an EHR That Keeps Up With HIPAA Compliance
Is your eye care EHR certified for data encryption? And does it include built-in functionality that adheres to HIPAA requirements for user access controls, privacy, and security? If you’re not sure, it’s time to evaluate your EHR system and perform a HIPAA security risk assessment to safeguard your practice from potential security threats.
MaximEyes EHR is ONC 2015 Edition Health IT certified for quality reporting and Promoting Interoperability (PI) Programs. We adhere to IHE (Integrating the Healthcare Enterprise) HL7 standards and functionalities that improve the interoperability of healthcare information systems.
It’s time for you to feel more confident about an EHR and practice management system that keeps up with HIPAA compliance. Request a demo of MaximEyes today.
This blog is meant as an educational resource and does NOT constitute legal HIPAA advice. Covered entities (eye care providers) are responsible for taking the necessary steps needed to protect the confidentiality, integrity, and availability of protected health information (PHI) and complying with the HIPAA security and privacy rules.