HIPAA Compliance - 2015 -- Suchocki

Published on January 2017 | Categories: Documents | Downloads: 37 | Comments: 0 | Views: 271
of 35
Download PDF   Embed   Report

Comments

Content

Joseph Suchocki

HIPAA Compliance 2015

Sponsored by

Eagle Associates, Inc.
Eagle Associates provides compliance services for over 1,200
practices nation wide. Services provided by Eagle Associates
address compliance for OSHA, HIPAA, and OIG requirements.
Eagle Associates has been providing services since 1988.
Our goal is to provide affordable, complete compliance services
with a high level of personal support for our clients.

Joseph Suchocki
President and founder of Eagle Associates, Inc., has over 42
years experience in marketing and consulting for the
healthcare industry.

©2014 Eagle Associates, Inc. 800-777-2337

www.eagleassociates.net

The primary objectives for this HIPAA presentation includes:

Objectives



Who must comply with HIPAA?

Understanding audit team



An explanation of the federal audit protocol for HIPAA

What are the Rules?



Administrative requirements (i.e., assigned responsibilities, record-keeping, recording, etc.)

Privacy Rule Basics



Privacy Rule requirements

Understanding Business Associates



Breach Notification Rule requirements, and

Conducting a Security Risk Analysis



Security Rule requirements

©2014 Eagle Associates, Inc. 800-777-2337

4

Who is required to comply with HIPAA?
All Covered Entities must comply with HIPAA requirements
The definition of a covered entity includes any health care provider who
transmits any health information in electronic form in connection with one
of the named transactions (use standard transact and code sets).
Thus, if a dentist or dental office sends claims, encounters, predeterminations, eligibility requests, claim status inquiries or treatment
authorization requests electronically, then that dentist or dental office is a
covered entity and is subject to HIPAA.

©2014 Eagle Associates, Inc. 800-777-2337

HIPAA Rules

•Administrative Guidelines
•Privacy Rule
•Breach Notification Rule
•Security Rule
•Enforcement Rule
•National Identifiers
•Transaction Standard
•HITECH Act
•2013 Omnibus Rule

©2014 Eagle Associates, Inc. 800-777-2337

HIPAA Terms

•Protected Health Information (PHI)
•Electronic Protected Health Information EPHI)
•Notice of Privacy Practices
•Authorization
•Use
•Disclosure
•Designated Record Set

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Patient Rights

•Written in Plain Language
•Effective Date (last required revision September 2013)
Opening Statements

Protected health information (PHI), about you, is maintained as a written and/or electronic
record of your contacts or visits for healthcare services with our practice. Specifically, PHI is
information about you, including demographic information (i.e., name, address, phone,
etc.), that may identify you and relates to your past, present or future physical or mental
health condition and related healthcare services.
Our practice is required to follow specific rules on maintaining the confidentiality of your PHI,
using your information, and disclosing or sharing this information with other healthcare
professionals involved in your care and treatment. This Notice describes your rights to access
and control your PHI. It also describes how we follow applicable rules and use and disclose
your PHI to provide your treatment, obtain payment for services you receive, manage our
healthcare operations and for other purposes that are permitted or required by law.

©2014 Eagle Associates, Inc. 800-777-2337

2013 Omnibus Rule
Modifications to Notice of Privacy Practices - Distribution
Practices are not required to distribute revised Notices to patients
automatically.
They must make the new Notice available at the delivery site upon
request on or after the effective date of the Notice, and must also post it
in a clear and prominent location.
If the practice maintains a website, the Notice must also be posted there
for patients to view.
As always, the Notice must be provided to new patients and a good faith
acknowledgement obtained.

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Patient Rights

•Right to Receive Notice
•Right to Authorize Other Use and Disclosure
•Right to Alternative Communications
•Right to Inspect and Obtain Copies
•Right to Request Restrictions
•Right to Request Amendments
•Right to Disclosure Accountability
•Right to Receive Privacy Breach Notice

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Patient Rights

•Right to Receive Notice

You have the right to receive, and we are required to provide you with, a copy of this Notice
of Privacy Practices - We are required to follow the terms of this notice. We reserve the right
to change the terms of our notice, at any time. Upon your request, we will provide you with a
revised Notice of Privacy Practices if you call our office and request that a revised copy be
sent to you in the mail or ask for one at the time of your next appointment.

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Patient Rights

•Right to Receive Notice
•Acknowledgement of Receipt (one-time event)
•Posting Requirements
•Prominent or Conspicuous Location
•Website (if practice has one)
• Patient Distribution

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Patient Rights

•Right to Authorize Other Use and Disclosure

You have the right to authorize other use and disclosure - This means you have the right to
authorize any use or disclosure of PHI that is not specified within this notice. For example,
we would need your written authorization to use or disclose your PHI for marketing
purposes, for most uses or disclosures of psychotherapy notes, or if we intended to sell
your PHI. You may revoke an authorization, at any time, in writing, except to the extent
that your healthcare provider, or our practice has taken an action in reliance on the use
or disclosure indicated in the authorization.

Limited Authorization
Personal Representative

©2014 Eagle Associates, Inc. 800-777-2337

An authorization for disclosure (also referred to as a release of medical information or record) is required as a means of identifying

HIPAA Auditing - Privacy
Patient Authorizations for Disclosures

exactly who the patient desires to have access to their information.

At a minimum, a patient authorization must contain the

following core elements:



the identity of your practice;



the identity of the patient;



a specific and meaningful description of the information to be used or disclosed;





the name or other specific identification of the person or entity to whom your practice



a specific and meaningful description of the information to be used or disclosed;

may disclose information;



the name or other specific identification of the person or entity to whom your practice may disclose information;



a description of the purpose for use or disclosure (can be stated as “patient request”);



a description of the purpose for use or disclosure (can be stated as “patient request”);



an expiration date that relates to the individual or the purpose of the use or disclosure;



an expiration date that relates to the individual or the purpose of the use or disclosure;



a statement that the patient may revoke the authorization;



a redisclosure statement (this protects your practice);



a statement that the patient may revoke the authorization;



a non-conditioning statement;



a redisclosure statement (this protects your practice);



a statement of the patient's right to receive a copy of the authorization; and



a non-conditioning statement;



the patient’s signature and date of their signature.



a statement of the patient's right to receive a copy of the authorization; and



the patient’s signature and date of their signature.

©2014 Eagle Associates, Inc. 800-777-2337



the identity of your practice;
the identity of the patient;

14

An authorization that does not contain these elements is not a valid authorization and is not in compliance with the Privacy Rule.

Notice of Privacy Practices - Patient Rights

•Right to Alternative Communications

You have the right to request an alternative means of confidential communication – This
means you have the right to ask us to contact you about medical matters using an
alternative method (i.e., email, telephone), and to a destination (i.e., cell phone number,
alternative address, etc.) designated by you. You must inform us in writing, using a form
provided by our practice, how you wish to be contacted if other than the address/phone
number that we have on file. We will follow all reasonable requests.

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Patient Rights

•Right to Inspect and Obtain Copies

You have the right to inspect and copy your PHI - This means you may inspect, and obtain
a copy of your complete health record. If your health record is maintained electronically,
you will also have the right to request a copy in electronic format.
We have the right to charge a reasonable fee for paper or electronic copies as
established by professional, state, or federal
guidelines.

Designated Record Set
Timeliness

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Patient Rights

•Right to Request Restrictions

You have the right to request a restriction of your PHI - This means you may ask us, in
writing, not to use or disclose any part of your protected health information for the
purposes of treatment, payment or healthcare operations. If we agree to the requested
restriction, we will abide by it, except in emergency circumstances when the information
is needed for your treatment. In certain cases, we may deny your request for a restriction.
You will have the right to request, in writing, that we restrict communication to your health
plan regarding a specific treatment or service that you, or someone on your behalf, has
paid for in full, out-of-pocket. We are not permitted to deny this specific type of
requested restriction.

Medicare/Medicaid
All requests and responses must be in written format

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Patient Rights

•to Request Amendments

You may have the right to request an amendment to your protected health information This means you may request an amendment of your PHI for as long as we maintain this
information. In certain cases, we may deny your request.

All requests and responses must be in written format

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Patient Rights

•Right to Disclosure Accountability

You have the right to request a disclosure accountability - This means that you may
request a listing of disclosures that we have made, of your PHI, to entities or persons
outside of our office.

3 year history
30 days to respond

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Patient Rights

•Right to Receive Privacy Breach Notice

You have the right to receive a privacy breach notice - You have the right to receive
written notification if the practice discovers a breach of your unsecured PHI, and
determines through a risk assessment that notification is required.
If you have questions regarding your privacy rights, please feel free to contact our Privacy
Manager

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Use & Disclosure

•Treatment

Following are examples of uses and disclosures of your protected health information that
we are permitted to make. These examples are not meant to be exhaustive, but to
describe possible types of uses and disclosures.
Treatment - We may use and disclose your PHI to provide, coordinate, or manage your
healthcare and any related services. This includes the coordination or management of
your healthcare with a third party that is involved in your care and
treatment. For example, we would disclose your PHI, as necessary, to a pharmacy that
would fill your prescriptions. We will also disclose PHI to other Healthcare Providers who
may be involved in your care and treatment.

No Patient Authorization Required

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Use & Disclosure

•Payment

Payment - Your PHI will be used, as needed, to obtain payment for your healthcare
services.
This may include certain activities that your health insurance plan may
undertake before it approves or pays for the healthcare services we recommend for you
such as, making a determination of eligibility or coverage for insurance benefits.

No Patient Authorization Required
Includes Disclosure to Collection Agencies

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Use & Disclosure

•Healthcare Operations

Healthcare Operations - We may use or disclose, as needed, your PHI in order to support
the business activities of our practice. This includes, but is not limited to business planning
and development, quality assessment and improvement, medical review, legal services,
auditing functions and patient safety activities.

No Patient Authorization Required

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Use & Disclosure

•Health Information Organizations

Health Information Organization - The practice may elect to use a health information
organization, or other such organization to facilitate the electronic exchange of
information for the purposes of treatment, payment, or healthcare
operations

No Patient Authorization Required

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Use & Disclosure

•Special Notices
Special Notices - We may use or disclose your PHI, as necessary, to contact you to remind you
of your appointment. We may contact you by phone or other means to provide results from
exams or tests and to provide information that describes or recommends treatment
alternatives regarding your care. Also, we may contact you to provide information about
health-related benefits and services offered by our office, for fund-raising activities, or with
respect to a group health plan, to disclose information to the health plan sponsor.

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Use & Disclosure

•To Others Involved in Your Healthcare
To Others Involved in Your Healthcare - Unless you object, we may disclose to a member
of your family, a relative, a close friend or any other person, that you identify, your PHI that
directly relates to that person’s involvement in your healthcare. If you are unable to
agree or object to such a disclosure, we may disclose such information as necessary if we
determine that it is in your best interest based on our professional judgment. We may use
or disclose PHI to notify or assist in notifying a family member, personal representative or
any other person that is responsible for your care, of your general condition or death. If
you are not present or able to agree or object to the use or disclosure of the PHI, then
your healthcare provider may, using professional judgment, determine whether the
disclosure is in your best interest. In this case, only the PHI that is necessary will be
disclosed.

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Use & Disclosure

•Other Permitted Uses and Disclosures
Other Permitted and Required Uses and Disclosures - We are also permitted to use or
disclose your PHI without your written authorization for the following purposes: as required
by law; for public health activities; health oversight activities; in cases of abuse or neglect;
to comply with Food and Drug Administration requirements; research purposes; legal
proceedings; law enforcement purposes; coroners; funeral directors; organ donation;
criminal activity; military activity; national security; worker’s compensation; when an
inmate in a correctional facility; and if requested by the Department of Health and
Human Services in order to investigate or determine our compliance with the
requirements of the Privacy Rule.

No Patient Authorization Required

©2014 Eagle Associates, Inc. 800-777-2337

Notice of Privacy Practices - Use & Disclosure

•Privacy Complaints
You have the right to complain to us, or directly to the Secretary of the Department of
Health and Human Services if you believe your privacy rights have been violated by us.
You may file a complaint with us by notifying the Privacy Manager at (123) 456-7890.
We will not retaliate against you for filing a complaint.

©2014 Eagle Associates, Inc. 800-777-2337

2013 Omnibus Rule

•Business

Associates

Business Associate - in simple terms, is is as a person or entity that a practice
intentionally gives patient information to or gives access to patient
information. Then, using the information or access to information, the business
associate provides a service to the practice.

©2014 Eagle Associates, Inc. 800-777-2337

2013 Omnibus Rule
Business Associates include Health Information Organizations, E-prescribing
Gateway, Patient Safety Organizations, Personal Health Record vendors or
other person that provides data transmission services with respect to
protected health information to a covered entity and that requires access on
a routine basis to such protected health information, and a subcontractor
that creates, receives, maintains, or transmits PHI on behalf of a business
associate
Example - For example, a data storage company that has access
to protected health information (whether digital or hard copy)
qualifies as a business associate, even if the entity does not view
the information or only does so on a random or infrequent basis.
Thus, document storage companies maintaining protected health
information on behalf of covered entities are considered business
associates, regardless of whether they actually view the
information they hold.

©2014 Eagle Associates, Inc. 800-777-2337

BA Requirements
Business Associates Requirements
Compliance with all Privacy and Security Rule requirements
Required to ensure compliance by subcontractors
Subject to same fines and penalties as covered entities
Covered entities should update business associate agreements to ensure
language that specifies required compliance with HIPAA’s Rules (Privacy,
Security, Privacy Breach Notification, and Accounting of Disclosures) including
those in the HITECH Act and 2013 Omnibus Rules.

©2014 Eagle Associates, Inc. 800-777-2337

2013 Omnibus Rule
Privacy Breach Notification Rule - Risk Assessment - 4 Factors
The rule defines four factors that must be used to more objectively
evaluate whether or not a breach of unsecured PHI requires notification.
Covered entities must consider at least the following factors:
1.The nature and extent of the PHI involved, including the types of
identifiers and the likelihood of re-identification;
• With respect to financial information, to assess this factor, entities should consider
whether the disclosure involved sensitive information such as credit card
numbers, social security numbers, or other information that increases the risk of
identity theft or financial fraud.
• With respect to clinical information, the nature of the services should be
considered, along with the amount of detailed clinical information involved such
as treatment plan, diagnosis, medication, medical history information and test
results.
• The likelihood that PHI containing few, if any, direct identifiers could be reidentified based on the context and the ability to link the information with other
available information.

©2014 Eagle Associates, Inc. 800-777-2337

2013 Omnibus Rule
Privacy Breach Notification Rule - Risk Assessment
2. The unauthorized person who used the PHI or to whom the disclosure
was made;
• Consider whether the information was impermissibly disclosed to an
unauthorized person who is obligated to abide by privacy laws (i.e., another
covered entity or Federal agency).
• Consider whether the unauthorized person who received de-identified PHI has
the ability to re-identify the information. For example, if information containing
dates of healthcare services and diagnoses of certain employees was
impermissibly disclosed to their employer, the employer may be able to
determine that the information pertains to specific employees based on other
information available to the employer, such as dates of absence from work.

©2014 Eagle Associates, Inc. 800-777-2337

2013 Omnibus Rule
Privacy Breach Notification Rule - Risk Assessment
3. Whether the PHI was actually acquired or viewed;
• For example, if a laptop computer was stolen and later recovered and a forensic
analysis shows that the PHI on the computer was never accessed, viewed,
acquired, transferred, or otherwise compromised, the entity could determine
that the information was not actually acquired by an unauthorized individual,
even though the opportunity existed.

©2014 Eagle Associates, Inc. 800-777-2337

2013 Omnibus Rule
Privacy Breach Notification Rule - Risk Assessment
4. The extent to which the risk to the PHI has been mitigated;
• Covered entities should attempt to mitigate the risks to the PHI following an
impermissible use or disclosure, such as by obtaining the recipient’s satisfactory
assurances that the information will not be further used or disclosed (through a
confidentiality agreement or similar means) or will be destroyed. The recipient of
the information must be considered (i.e., whether or not the recipient can be
relied upon to destroy the information) before the covered entity can conclude
that an impermissible use or disclosure has been appropriately mitigated.

©2014 Eagle Associates, Inc. 800-777-2337

2013 Omnibus Rule
Privacy Breach Notification Rule - Timeliness of Notification
The final rule makes one modification regarding the covered entities
requirement to provide notice to HHS of all breaches affecting fewer
than 500 patients not later than 60 days after the end of the calendar
year in which the breaches were discovered ( rather than in which the
breaches occurred).
HHS believes there may be circumstances when a breach goes
undetected for a long period of time. If a breach that occurred in the
previous year is discovered, the covered entity will have until 60 days
after the end of the calendar year in which the breach was
discovered to provide notice to HHS.
Notification to patients remains within 60 days following the date of
discovery of a breach.

©2014 Eagle Associates, Inc. 800-777-2337

Security Rule and HITECH Act
Security Rule
Scope of Information Covered
HHS stated in the February 20, 2003 posting of the Security Standard, as a
general proposition, any electronic protected health information (EPHI)
received, created, maintained, or transmitted by a covered entity is covered
by this final rule. We agree that certain information, from which individual
identifiers have been stripped (known as de-identified information), does not
come into the purview of this final rule.

©2014 Eagle Associates, Inc. 800-777-2337

Security Rule Overview
Security Rule

©2014 Eagle Associates, Inc. 800-777-2337

Security Rule and HITECH Act
Security Rule
Risk Analysis
A covered entity must conduct an accurate and thorough
assessment of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of electronic protected
health information held by the covered entity.
Security Measures implemented to comply with Standards and
Implementation Specifications must be reviewed and modified as
needed to continue provision of reasonable and appropriate
protection of electronic protected health information.

©2014 Eagle Associates, Inc. 800-777-2337

The process of conducting a risk analysis involves five critical steps.

HIPAA Auditing - Security Risk Analysis
Conducting a Risk Analysis

1. First remember to date your work so you can prove when the analysis and corrective actions, it necessary, were completed.
2. Identify the item that you are analyzing or assessing. In the case of a risk analysis this should be the standard or specification

* Date your work!
* Identify the Standard and/or Specification
* Identify the Location of Policies & Procedures
* Document Your Findings
* Document Corrective Actions

that you are reviewing to ensure that your practice has met the requirements for compliance.
3. Identify the location of your policies and procedures. This is a simple reference in the risk analysis that identifies where to find
applicable policies and procedures. For example, you may find that policies are included or controlled by your HR department,
IT Department, or ideally collected in one location under the control of the Security Officer.
4. Document findings. This is a pretty straightforward step that will list for example, if you found that the appropriate policies and
procedures were in place and implemented, or if you were to find a lack of compliance in the need to develop and implement
appropriate corrective actions.
5. Document corrective actions. This step might also be known as implementing remedial actions or corrective actions that are
intended to bring your practice into compliance with the guidelines provided in a standard or implementation specification.

©2014 Eagle Associates, Inc. 800-777-2337

40

©2014 Eagle Associates, Inc. 800-777-2337

41

The risk analysis begins with the first standard under administrative safeguards which is the security management process. This

HIPAA Auditing - Security Risk Analysis
Administrative Safeguards

standard has four implementation specifications.


STANDARD - Security Management Process

Risk Analysis - The first specification is to conduct a risk analysis. This is an initial and periodic or subsequent analysis or assessment
of the practice’s security processes to identify the potential risks and vulnerabilities to the confidentiality, integrity, and availability
of electronic protected health information that is collected and maintained by the practice. Documentation of the risk analysis,

* Risk Analysis

as with all HIPAA documentation, must be maintained for a minimum of six year. It is important to note that the risk analysis is not

* Risk Management

a onetime process - it should be completed annually.




Your finding for a Risk Analysis would be to list the date that the risk analysis was conducted.
Risk Management - While the risk analysis is the process of finding, the specification for risk management involves the process of
developing and implementing appropriate corrective actions for any risks identified curing the risk analysis process.


©2015 Eagle Associates, Inc. 800-777-2337

42

Your finding for Risk Management would be to verify that appropriate corrective actions (if needed) were implemented by
specific date or, in the case of strong compliance, that there were no corrective actions for this risk analysis.

The requirement for sanction policy requires that your practice have written sanctions or penalties that would be applied when a

HIPAA Auditing - Security Risk Analysis
Administrative Safeguards

workforce member fails to comply with the security policies and procedures that have been established by the practice. There are
normally two locations for such policies, if they do exist in your practice. One location would be in your general HIPAA policy
manual or in an employee handbook or HR policy. The number and severity of sanctions is at the discretion of the practice and

STANDARD - Security Management Process
* Risk Analysis

can range from verbal reprimands, too written reprimands, to suspension from work, to termination of employment.
It is important for workforce members to have knowledge that sanctions will be imposed than what the sanctions are violations of

* Risk Management

security policies and procedures. This should be part of your practice’s new hire orientation training, annual training, and should be

* Sanction Policy

covered in a confidentiality agreement that is required for all workforce members to sign. The practice should ensure that
sanctions, if imposed, are applied equally for all workforce members.
The finding for Sanction Policy should identify that the practice does have existing sanctions that would be imposed for violating
privacy, breach notification, and security policies and procedures of the practice. Be sure to identify the location of the policies
such as if they are in an employee handbook, HR policies, or general HIPAA policies.

©2015 Eagle Associates, Inc. 800-777-2337

43

The requirement for Information System Activity Review is intended to provide the practice with the ability to monitor and identify

HIPAA Auditing - Security Risk Analysis
Administrative Safeguards

policy and procedure for this specification should help the practice identify, track, or document under authorized activities in the
information system. While large organizations and institutions might use automated programs, this is more of a periodic or as-

STANDARD - Security Management Process

needed process in most practice settings. The use of audit logs, access reports, and security incident tracking will be a few of the
tools utilized to meet this requirement.

* Risk Analysis
* Risk Management

Your finding for the Information System Activity Review would be to verify that the Security Officer or another designated individual

* Sanction Policy

in the practice has the capability to perform these functions.

* Information System Activity Review

©2015 Eagle Associates, Inc. 800-777-2337

inappropriate access, or use or disclosure of electronic protected health information from the practices information system. The

44

The requirement for assigned security responsibility requires a practice to designate a single person (security officer) who will be

HIPAA Auditing - Security Risk Analysis
Administrative Safeguards
STANDARD - Assigned Security Responsibility

©2015 Eagle Associates, Inc. 800-777-2337

responsible for the development and implementation of policies and procedures as required by the security room. While there is
one individual designated as the security officer, they may be assisted by a group or committee.
The finding for assigned security responsibility should identify who has been assigned the role of security officer.

45

The requirement for workforce security involves three addressable specifications. The objective is to ensure that all workforce

HIPAA Auditing - Security Risk Analysis
Administrative Safeguards
STANDARD - Assigned Security Responsibility
STANDARD - Workforce Security
* Authorization and/or Supervision

members have appropriate access to the electronic protected health information and that policies and procedures prevent
unauthorized access.
The specification for authorization and/or supervision is the process of determining whether a particular user of the practice’s
information system has been granted the authority or right to carry out a certain activity, such as reading a file or running a
program. Implementation of this specification will vary among covered entities, depending upon the size and complexity of the
workforce in the information system that contains electronic protected health information.
The finding for the specification would identify the types of access that are granted to workforce members such as global
authorization ( as found in smaller practices)

or role-based authorizations for users of the information system. You should also

identify the individual, such as the Security Officer, in your practice that has the administrative ability to assign, monitor, and control
access to the information system.

©2015 Eagle Associates, Inc. 800-777-2337

46

The specification for workforce clearance procedures ensures that the access of an authorized user of the practice’s information

HIPAA Auditing - Security Risk Analysis
Administrative Safeguards
STANDARD - Assigned Security Responsibility
STANDARD - Workforce Security
* Authorization and/or Supervision
* Workforce Clearance Procedures

system is appropriate for their role or job title in the practice. There should also be a screening process in place for new hires and
outside entities that may be assigned access to the practice’s information system.
The method that a practice uses to screen new hires an outside entities will vary from simple reference checks, too complex
background investigations. Note that the requirement does not specify any particular method. At a minimum, a practice should
check references on all new hires and entities along with performing a check of the OIG exclusionary database for fraud and
abuse listings. Using the OIG database helps accomplish clearance procedures and simultaneously meets the requirement from
the OIG to check individuals against their database.
The finding for workforce clearance procedures should identify that the practice does have appropriate policies and procedures
for workforce clearance prior to assigning authorized access to the information system. A practice should check references for all
new hires and check their identity against the oIG exclusionary database (this OIG check should be repeated, at a minimum,
annually for all workforce members.

©2015 Eagle Associates, Inc. 800-777-2337

47

The specification for termination procedure requires the practice to have implemented a policy and procedure that ensures the

HIPAA Auditing - Security Risk Analysis
Administrative Safeguards

deactivation of the user's ID for accessing electronic protected health information and the collection of any physical means of
accessing the facilities of the practice ( such as collecting keys, changing combination locks, collecting access cards, changing
alarm codes, etc.).

STANDARD - Assigned Security Responsibility
STANDARD - Workforce Security
* Authorization and/or Supervision
* Workforce Clearance Procedures
* Termination Procedure

The finding for termination procedure should include a note that indicates who in the practice has the responsibility for terminating
electronic access to electronic protected health information and collecting means of physical access to the facilities of the
practice.
Documentation of the termination process for workforce members and outside entities that have had their access terminated
should be maintained and available for review for a minimum of six years.

©2015 Eagle Associates, Inc. 800-777-2337

48

HIPAA Auditing - Security Risk Analysis
Administrative Safeguards

The standard for information access management as three implementation specifications.
The requirement for Isolating clearinghouse functions is actually the responsibility of the clearinghouse used by the practice if the

STANDARD - Information Access Management
* Isolating Clearinghouse Functions

clearinghouse is owned by a larger organization. The purpose of this specification is for the practice to obtain satisfactory
assurance, through the use of a business associate agreement, that the use and disclosure of electronic protected health
information, as provided to the clearinghouse by the practice, is limited to the contracted services of the clearinghouse and that
the information will not be used or disclosed by the larger organization, if one exists.
The finding for isolating clearinghouse functions is that the practice does have a business associate agreement with the
clearinghouse. The agreement might also be with a larger organization and specifies the isolation of information from a larger
organization.

©2015 Eagle Associates, Inc. 800-777-2337

49

HIPAA Auditing - Security Risk Analysis
Administrative Safeguards

The specification for access authorization requires that you have written policies and procedures identifying how access to your
information system is assigned or authorized for workforce members and outside entities. Authorization is defined as the act of
determining whether or not a particular user has the right, based on job functions or responsibilities, to carry out a certain activity,

STANDARD - Information Access Management
* Isolating Clearinghouse Functions
* Access Authorization
* Access Establishment and Modification

such as reading a file or running a program in the information system.
The finding for access authorization should identify that the practice does have a process or procedure in place to grant and
control access to its information system.
The specification for access establishment and modification is the documentation component to access authorization. The
practice should maintain documentation that identifies assignment of user ids (for example who the user id has been assigned to),
the date of establishment or assignment, the dates and details of any modifications up to an including termination from the
information system. Note that many EHR systems now have the capability of producing such documentation for the practice. If
not, the practice should maintain a log or record.

©2015 Eagle Associates, Inc. 800-777-2337

50

The findings for access establishment and modification should identify that the practice does have such documentation, who has
the responsibility for maintaining it, and that there is an ability to retrieve such information.

The specifications for security awareness and training is intended to ensure that all workforce members, including management,

HIPAA Auditing - Security Risk Analysis
Administrative Safeguards

are aware of security issues and are adequately trained to help ensure the protection of electronic protected health information.
The specification for security reminders requires a practice to provide periodic security reminders for workforce members.

STANDARD - Security Awareness and Training

Reminders can include notices or memos in electronic or printed form, agenda items are topics discussed at periodic staff
meetings, posted reminders on bulletin boards, and retraining for specific security policies and procedures. Note that this type of

* Security Reminders

reminder should be included as part of new hire training in annual security training.
The finding on this specification should indicate that the practice does use security reminders and briefly explain the process used
in work samples and documentation can be located in the practice.

©2015 Eagle Associates, Inc. 800-777-2337

51

HIPAA Auditing - Security Risk Analysis
Administrative Safeguards

The specification for protection from malicious software is a requirement for the practice to raise awareness for malicious software
and communicate the role of workforce members in protecting the information system. Malicious software can be thought of is
any program that harms information systems, such as viruses, Trojan horses or worms. As a result of an unauthorized infiltration,

STANDARD - Security Awareness and Training

electronic protected health information and other data can be damaged or destroyed, and at a minimum, require expensive
and time-consuming repairs. Malicious software is frequently brought into an organization through email attachments,

* Security Reminders
* Protection from Malicious Software
* Log-In Monitoring

an

programs that are downloaded from the Internet.
The specification for login monitoring requires a practice to make workforce members aware of the need to monitor login

* Password Management

attempts and the responsibility to report discrepancies, alert messages, or other unusual behavior when logging into the
information system.
The specification for password management is intended to remind and make workforce members aware of the need to guard
not only their password but user ID to the information system. Be aware that many workforce members may not understand that
the use of their user ID and password leaves a trail identifying all activities either by them or another individual in the information

©2015 Eagle Associates, Inc. 800-777-2337

52

system.
The findings for these three specifications should indicate that there is training and awareness for each topic and that it is
provided upon higher into the practice and annually thereafter as part of the practice,s security training program.

The Standard for security incident procedures has one specification requires a practice to implement procedures for handling and

HIPAA Auditing - Security Risk Analysis
Administrative Safeguards

documenting “ security incidents” and the resolution to such incidents. A security incident is defined as an attempted or successful
unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in the
practice’s information system.

STANDARD - Security Incident Procedures
The specification for response and reporting of security incidents requires a practice to a system for handling such incidents.

* Response and Reporting

Addressing security incidences an integral part of the overall security program for the information system. Whether or not a specific
occurrence or incident is considered a security incident, the process of documenting all incidents, what information should be
contained in the documentation, and what the appropriate response should be will be dependent upon the practice’s
environment and the information involved in the incident.
A practice should be able to rely upon the information gathered in complying with the other Security Rule standards (for example
it’s risk assessment, risk management procedures, and privacy standards) to determine what constitutes a security incident, in the
context of it’s business operations.

©2015 Eagle Associates, Inc. 800-777-2337

53

The finding for this specification should identify that the practice and its workforce members are aware of what would be
considered potential security incidents, who to report such incidents to, and the documentation of any investigation and
corrective action performed by the practice.

The standard for a contingency plan as five specifications. A contingency can be defined as a future event or circumstance that

HIPAA Auditing - Security Risk Analysis
Administrative Safeguards

is possible but cannot be predicted with certainty such as an emergency or disaster that might occur and require restoration of
the practice’s information system. a worst-case scenario could include a practice burning to the ground or being wiped out by a
severe weather events such as tornadoes, hurricanes, and flooding. So, a contingency plan could also be defined as what will

STANDARD - Contingency Plan

your practice do, in the event of an emergency, to ensure the integrity and availability of patient information and continued
operations to serve patients the practice.

* Data Backup Plan

The specification for a data backup plan requires some practice to establish and implement procedures to create and maintain
retrievable exact copies of electronic protected health information that it has collected, created, and maintains on its patients.
Data backup can vary from practice to practice using either local backup ( such as tape or other local drive back up) or cloud
service or other remote devices. A critical element is to ensure that your backup data is stored off-site from the practice. This will
ensure its availability in the event of a black hole situation for the information system.
The finding for the specification would identify that the practice does have a system for backing up its data, that the data is stored
off-site, and that it is secure (i.e., encrypted or secured by other means). This is a specification that should include detailed
©2015 Eagle Associates, Inc. 800-777-2337

54

operating procedures identifying how the backup process is achieved, the location of the stored data, the security for the stored
data, and the means for retrieving and using the backup data to restore the information system.

The specification for disaster recovery plan requires a practice to have plans and procedures to recover and restore data in the

HIPAA Auditing - Security Risk Analysis
Administrative Safeguards

case of any disaster. The timeliness of the actions in this specification will be somewhat dependent upon the disaster or emergency
as well as the specifications for emergency mode operations and application and data criticality analysis will play a role in
determining the restoration of the practice’s information system. One of the critical elements for disaster recovery plan would

STANDARD - Contingency Plan

include identifying the hardware and applications that would be needed to restore or rebuild the information system in the event
of an emergency or disaster.

* Data Backup Plan
* Disaster Recovery Plan
* Emergency Mode Operations

The finding for this specification should include identifying that a listing of assets for the information system is maintained ( both onsite and off-site) to ensure availability for its use.
The specification for emergency mode operations requires a practice to address how it will continue to operate and serve
patients in the event of an emergency or disaster. An emergency can range from a power outage or blackout to natural disasters
such as hurricanes, tornadoes, and earthquakes. Emergency mode operations will also be dependent upon the length of time
that the emergency or disaster will be affecting the information system.

©2015 Eagle Associates, Inc. 800-777-2337

55

The finding for the specification should list options for the practice and its ability to serve patients in the event of an emergency or
disaster. This could include closing the practice until power is restored in the information system is operating again, choosing to
continue serving patients in a paper-based mode until the information system is restored and then entering data at that time, The
possibility of operating from a remote location, or the use of the backup generator system that would require verifying the integrity
of your data prior to continuing operations utilizing the generator system.

The specification for testing and revision requires a practice to review the elements of it’s contingency plan to ensure that it is still

HIPAA Auditing - Security Risk Analysis
Administrative Safeguards

viable and includes current technical capabilities, environmental considerations, and current regulatory requirements. This
requirement can be accomplished by conducting an annual risk analysis which would include reviewing and revising, if necessary,
elements of the contingency plan.

STANDARD - Contingency Plan
The finding for the specification could be as simple as stating that the elements of the contingency plan are reviewed on an

* Data Backup Plan

annual basis as part of the practice’s annual risk analysis process.

* Disaster Recovery Plan
* Emergency Mode Operations

The specification for application and data criticality analysis should identify what software applications and data from the

* Testing and Revision

information system would be critical to continuing operations in the event of an emergency or disaster or significant problem with

* Application and Data Criticality Analysis

the information system. Meeting this requirement could include options that were discussed under emergency mode operations.
The finding for this specification should identify the applications and data that would need to be available to the security officer
and management personnel in the event of an emergency or disaster or significant problem with the information system.

©2015 Eagle Associates, Inc. 800-777-2337

56

Evaluation is both the standard and a specification requiring the practice to periodically evaluate and determine if its security

HIPAA Auditing - Security Risk Analysis
Administrative Safeguards

policies and procedures continued to provide protection for electronic protected health information. This is accomplished through
ongoing monitoring and evaluation of the practices environment, technical capabilities, and regulatory requirements. Conducting
an annual risk analysis will enable a practice to meet this requirement.

STANDARD - Evaluation
STANDARD - Business Associate Agreements

The findings for this specification should indicate how the practice periodically evaluates security policies and procedures. As
stated, conducting an annual risk analysis will ensure proper monitoring and evaluation for this requirement.
The requirement for business associate agreements is again both a standard and a specification. A practice is expected to
maintain business associate agreements with persons and entities that fit that description as required by the Privacy Rule and now,
again, for security. The 2013 Omnibus Rule required modifications or updates to existing business associate agreements. The
security officer or individual with responsibility in the practice for maintaining such agreements should ensure that updates were
made in accordance with 2013 changes.
The findings for this standard should indicate that the practice does have business associate agreements with persons or entities

©2015 Eagle Associates, Inc. 800-777-2337

57

that fit that description, who is responsible for maintaining the agreements, and the location of the agreements.

As mentioned previously, physical safeguards are intended to provide the practice with physical measures, policies, and

HIPAA Auditing - Security Risk Analysis
Physical Safeguards

procedures to protect the practices electronic protected health information, building or facilities, and equipment.
The standard for facility access controls has four specifications that require a practice to develop and implement procedures for

STANDARD - Facility Access Controls
* Contingency Operations

securing the physical facility for its practice.
The specification for contingency operations is fairly straightforward in that it requires a practice to identify individuals or entities
that would require access to the practice’s facility to assist in restoration or rebuilding of the information system in the event of an
emergency or disaster. This could be accomplished by creating a list or allowing the security officer in management personnel for
the practice to identify appropriate personnel they would deem necessary to have access to the facility in the event of an
emergency or disaster.
The finding for the specification should identify how the practice will restore or continue operations and who would be needed to
assist in that effort.

©2015 Eagle Associates, Inc. 800-777-2337

58

The specification for facility security plan will ensure that only authorized personnel will have access to the practice’s facility and

HIPAA Auditing - Security Risk Analysis
Physical Safeguards

equipment that contains electronic protected health information. Documentation of who will have access will be accomplished in
the next specification. This specification also requires a practice to identify how it’s will secure its facility.

STANDARD - Facility Access Controls
* Contingency Operations
* Facility Security Plan
* Access Control and Validation

The findings for the specification should indicate how the facility is secured. Examples would include the use of key locks,
combination locks, pass cards, alarm codes, and other means for controlling physical access.
The specification for access control and validation would be the documentation portion of the practice.s facility security plan.

* Maintenance Records

The findings for this specification would indicate how the practice assigns means of access to the facility and controls her
maintains accountability for assignment of keys, codes or other means of access.
The specification for maintenance records requires that a practice maintain a system for documenting modifications or
maintenance affecting means of access to the facility. For example, this would include documenting changing key locks, alarm
codes or other means of access to the facility and, in the event that the information is secured in a separate room, modifications

©2015 Eagle Associates, Inc. 800-777-2337

59

for access to that location.
The finding for this specification should be that the practice maintains or (if there has been no maintenance) will maintain
appropriate documentation.

The standard for workstation use and security relates to the physical location, surroundings, and use of workstations and other

HIPAA Auditing - Security Risk Analysis
Physical Safeguards

devices that can access and/or store electronic protected health information. This would include evaluation for desktop
computers, laptops, tablets, exam room terminal screens, smart phones, PDAs, laboratory analyzers, EKG machines, and other
such devices that are capable of either accessing or storing patient information. Another consideration for this specification

STANDARD - Workstation Use and Security

comes into play when the practice has workforce members that operate from remote locations to include homes. Concerns to
address in this specification include:


Has staff been instructed on the proper use of their workstations and the need to limit access by non-workforce members?



Has staff been instructed on the location and placement of computer screens to only allow clear viewing by authorized
individuals?



As the practice implemented the use of password-protected screen savers and/or automatic log off in areas where devices
might be left unattended and accessible to unauthorized personnel?



At workstation security policies and procedures been implemented with staff that work remotely, have access to, or work with
devices storing electronic protected health information?

©2015 Eagle Associates, Inc. 800-777-2337

60



At physical safeguards such as limited access areas been identified to prevent use of workstations by unauthorized personnel?



Have all types of workstations with access to, or storage of electronic protected health information been identified?



are current physical safeguards for workstations effective?



Is there a need to implement additional measures to ensure the physical safeguard for workstations?

The findings for this standard will be determined by answers to these questions.

The standard for device and media controls has four specifications. The objective is to implement policies and procedures that

HIPAA Auditing - Security Risk Analysis
Physical Safeguards

control the receipt and removal of hardware and electronic media, that contain electronic protected health information, into
and out of the practice, and the movement of devices and media within the facility. As referenced here, the term ”electronic
media” means, electronic storage media including memory devices and computers and any removable/transportable digital

STANDARD - Device and Media Controls

memory medium, such as magnetic tape or disk, optical disk, or digital memory card. This standard covers the proper handling of
electronic media including receipt, removal, backup, storage, reuse, disposal and accountability.

* Disposal
* Media Reuse

The specification for disposal requires that your practice have policies and procedures to ensure that electronic protected health
information is securely removed from devices (includes devices such as digital copy/fax machines) and media or that the device
or media is sufficiently damaged beyond repair, making the data inaccessible.
The findings for this specification should identify how your practice properly disposes of media and devices. The security officer
should maintain a record of electronic media disposal that demonstrates requirements have been met.
The specification for media reuse requires policies and procedures governing the reuse electronic media rather than its disposal.

©2015 Eagle Associates, Inc. 800-777-2337

61

Whether electronic media

is reused within the practice, or outside, it is important to remove all electronic protected health

information stored on the media to prevent unauthorized access to patient information. Internal reuse may include redeployment
or sharing of media such as flash drives, CDs, DVDs, tapes, etc. External reuse may include donation of electronic media to charity
organizations, schools or, in some cases, resale to employees or others.
The findings for this specification will be determined based on whether or not your practice does reuse electronic media.

The specification for accountability is only applicable if the practice moves devices

HIPAA Auditing - Security Risk Analysis
Physical Safeguards

(that store

electronic protected health

information) to locations other than the primary facility. Other locations would include satellite offices as well as homes of staff or
other workforce members. This specification does not apply to portable devices such as laptops or tablets that are moved from,
and consistently return to, the primary facility.

STANDARD - Device and Media Controls
The findings for this specification will depend upon these questions

* Disposal
* Media Reuse
* Accountability
* Data Backup and Storage



Does the practice relocate devices that store electronic protected health information?



If yes, is there documentation that tracks the relocation for such devices?

The specification would be not applicable if you're practiced is not relocate such devices.
The specification for data backup and storage requires a practice, prior to moving devices that store electronic protected health
information, to back up such data for restoration on the device in the event that the original data were damaged or it’s integrity
was questioned due to the movement.

©2015 Eagle Associates, Inc. 800-777-2337

62

The finding for this specification is dependent upon whether or not your practice does move devices.

As mentioned previously, technical safeguards are intended to provide the technology, policies, and procedures for the use and

HIPAA Auditing - Security Risk Analysis
Technical Safeguards

protection of electronic protected health information in a practices information system. The Security Rule does not require specific
technology solutions. There are many technical security tools, products, and solutions that practice can select from. Determination
of specific security measures is up to each individual practice, based upon what is reasonable and appropriate for the size and

STANDARD - Access Control
* Unique User Identification

complexity of the practice.
The standard for access control has four specifications. The practice must implement technical policies and procedures that allow
access to the information system and electronic protected health information only by those persons that of been granted access
rights, as specified in the Security Rule. This requirement relates to the administrative safeguards on access authorization and
access establishment and modification.
The specification for unique user identification requires a practice to ensure that each user of the information system as a unique
identification to access the system. A practice should assign a username and password for each workforce member, technical
support personnel, and outside entities who will have access to the information system. The security officer should ensure that all
user IDs are unique and are not shared.

©2015 Eagle Associates, Inc. 800-777-2337

63

The findings for this specification should indicate that each workforce member has been assigned a unique user identifier and that
this identifier can be used to track user activity within the information system.

The specification for emergency access procedure requires a practice to establish procedures for obtaining necessary electronic

HIPAA Auditing - Security Risk Analysis
Technical Safeguards

protected health information during an emergency or disaster. The security officer should identify the persons who will be
responsible for restoring access in such cases. The designated individuals will be responsible for determining how access to
information will be gained in the event that normal environmental systems, such as electrical power, are in operable due to a

STANDARD - Access Control
* Unique User Identification
* Emergency Access Procedures
* Automatic Logoff
* Encryption/Decryption

natural or man-made emergency or disaster.
The findings for this specification should identify that the security officer has established persons and/or outside entities that may
be necessary to assist in restoring access to information in the information system in the event of an emergency or disaster.
The specification for automatic log off requires that a practice implement electronic or, as an alternative method, manual
termination of an electronic session after a predetermined time of inactivity, or at the end of the day.
The findings for the specification should identify the practices method for meeting the requirement for automatic log off or the
practices use of an alternative method such as manual termination of electronic sessions.

©2015 Eagle Associates, Inc. 800-777-2337

64

The specification for encryption decryption requires a practice to implement a method or mechanism to encrypt and decrypt
electronic protected health information. This is especially critical for backup data and portable devices or media that store such
information.
The findings for this specification should identify that the practice has inventory and identified devices and media requiring the
use of encryption to protect patient information.

The standard for audit controls requires that a practice implement mechanisms that will record and allow tracking of user activities

HIPAA Auditing - Security Risk Analysis
Technical Safeguards

within the information system. EMR systems may provide the practice with the ability to audit, track, and produce documentation
of user activity. For most practices use aquatic controls and reports will function as an investigative tool that enables the practice
to determine unauthorized and inappropriate use of electronic protected health information within the information system.

STANDARD - Audit Controls
The findings for this specification will be determined by the ability of the practice or security officer and their understanding of
functions within the EMR system that provided capability for auditing activities of individual users in the information system.

©2015 Eagle Associates, Inc. 800-777-2337

65

The standard for integrity and mechanism to authenticate is met by implementing electronic mechanisms to confirm that

HIPAA Auditing - Security Risk Analysis
Technical Safeguards

electronic protected health information has not been accessed or altered or destroyed in an unauthorized manner.
Integrity is defined in the Security Rule as the indication that data or information has not been altered or destroyed in an

STANDARD - Integrity and Mechanism to Authenticate

unauthorized manner. Protecting the integrity of electronic protected health information is one of the primary goals of the Security
Rule. Information that has been improperly altered or destroyed can result in clinical quality problems for the practice, including
patient safety issues. The integrity of data can be compromised by both technical and non-technical sources. Workforce members
or business associates of the practice may make accidental or intentional changes that improperly alter or destroy information in
the practices system. Data can also be altered or destroyed without human intervention, such as by electronic media errors or
failures.
Methods to protect data integrity and the physical environment include: making server successful only to network administrators,
keeping transmission media such as cables and connectors covered and protected to ensure they cannot be tapped, and
protecting hardware and storage media from power surges, electrostatic discharges, and make magnetism.

©2015 Eagle Associates, Inc. 800-777-2337

66

The findings for the specification will be determined by the practice’s ability to control access to electronic protected health
information and prevent unauthorized alteration or destruction of patient information.

The standard for person or entity authentication requires a practice to implement procedures that will verify a person or entity

HIPAA Auditing - Security Risk Analysis
Technical Safeguards

seeking access to electronic protected information is who they claim to be. In general, authentication ensures that a person is, in
fact, who he or she claims to be prior to allowing access to information. This is accomplished by providing proof of identity. There
are several basic ways to provide proof of identity for authentication purposes.

STANDARD - Person or Entity Authentication


Requiring the use of a unique user ID within established password or PIN.



Requiring individuals to use a smart card, a token, or key for access to information.



Requiring something unique to the individual such as biometrics. Examples of biometrics include

electronic recognition of

fingerprints, voice patterns, facial patterns, or iris patterns.
Most practices will utilize one of the first two methods for authentication to access their information system. If authentication
credentials entered into the information system match those stored in the system, the user will be authenticated and provided
access to the information system.
The findings for this specification will identify that the practice has established appropriate policies and procedures for
©2015 Eagle Associates, Inc. 800-777-2337

67

authentication of users attempting to access the information system.

The standard for policies and procedures requires a practice to develop and implement reasonable and appropriate policies and

HIPAA Auditing - Security Risk Analysis
Organizational Requirements

procedures in compliance with the standards, implementation specifications, or other requirements of the Security Rule. While this
standard requires a practice to develop and implement written policies and procedures, it does not define either “policy” or
“procedure”. Generally, policies define a practices approach are intent to comply with the requirement within a regulation.

STANDARD - Policies and Procedures

Procedures describe the methods that practice will use to fulfill, or complied with the policy. The findings for this standard should

STANDARD - Documentation

indicate the existence of required policies and procedures.

STANDARD - Availability

The standard for documentation has three requirements. A practice must maintain policies and procedures in written or electronic

STANDARD - Updates

form. A practice must maintain written or electronic documentation for actions, activities, or assessments required by the Security
Rule. A practice must retain HIPAA related documentation for a minimum of six years from the date of its creation, or the date
when it was last in effect, whichever is later. The findings for this standard will be based upon a practice’s ability to confirm meeting
the three requirements.
The standard for availability requires a practice to make documentation available to those persons or entities responsible for
implementing the policies and procedures to which the documentation pertains. The findings for this standard should confirm that

©2015 Eagle Associates, Inc. 800-777-2337

68

policies and procedures are available for implementation and review.
The standard for updates requires that a practice periodically review policies and procedures and, as needed, update them to
reflect changes in regulatory requirements or the operational characteristics of the practice affecting the security of electronic
protected health information. The findings for this standard should confirm that the practice has appropriately maintained and
updated security policies and procedures.

Joseph Suchocki

HIPAA Compliance 2015

Sponsored by

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close