 | ||||
 | | | ||
 | ||||
|
||||
|
|||||||
|
HIPAA
Tip: Performing a Risk Analysis
Many physician offices have been told they need to hire a computer consultant to perform a HIPAA “risk analysis.” While the HIPAA security rule does require covered entities to complete a risk analysis, the regulations do not require the use of an outside company to complete the analysis. A risk analysis is, in simple terms, an assessment of all the electronic protected health information (ePHI) that your practice creates, maintains, stores, or transmits. Remember, HIPAA applies to any device that contains ePHI, including but not limited to desktop, laptop, and handheld computers; backup disks, tapes, or CDs; and even diagnostic equipment such as stress-test treadmills and ultrasound machines. Once you have identified all sources of ePHI in your practice, you must then determine the threats to and vulnerabilities of this information. This will include an assessment of your practice’s:
A successful risk analysis requires the participation of your entire administrative staff. The people who daily create, maintain, store, or transmit ePHI can provide a great deal of information and ensure your risk analysis is complete. Even if you choose to use an outside consultant, you should still involve your staff. Detailed information on performing a HIPAA risk analysis is included in the CMA/PrivaPlan HIPAA Privacy and Security Compliance Toolkit. The toolkit also contains all the information, forms and help you need to comply with the HIPAA privacy rules and regulations. CMA members can purchase the toolkit for $325 (nonmember price is $495). For an overview of the security rule, see ON-CALL document #1607, “HIPAA Security Rule.” ON-CALL documents are free to members at CMA's members-only website. Nonmembers can purchase ON-CALL documents from CMA's online bookstore. Contact: CMA’s legal information line, 415/882-5144 or legalinfo@cmanet.org.
|
|
||||
 |
|
|