HIPAA Compliance: Keep Your Health and Payment Information Secure


Health information security is under siege. Health information security is really something that’s come under come under kind of an attack under the past several years. There's been a lot of HIPAA breaches. And those are through – usually through things such as people losing something, let’s say it’s a laptop or a memory stick or a backup tape or something like that. You should conduct a thorough and detailed HIPAA risk assessment to protect yourself from security breaches. Follow these tips and know more.

Updating Your risk analysis and Doing a New One from Scratch

Risk analysis is a sort of thing that, you know, it changes quickly. Every time you adopted a system or change how you do business, you have introduced new potential risk points into your systems.

There are a lot of organizations that like to do a complete risk analysis on a regular basis but, you know, is that yearly or every two years. It's really turning out a standard thing that’s sort of appearing in the healthcare world is that people are going through a complete risk analysis - complete review of, you know, "Start from scratch and take what we have before and see what's changed and make sure we touch all the bases and talk with everybody".

That's the sort of thing that should be done, you know, probably not farther apart in every two years because if you wait too long you risk being out of compliance. If HHS decides to do a healthcare audit and shows up at your offices and your HIPAA risk assessment is out-of-date and doesn't really represent what's going on, then you're going to be in trouble.

So, probably people are going to be doing this more frequently than they used to with the changes in the regulations. But whenever you have changes in your systems or if there's a new kind of threat that's been discovered – you know, such as a new kind of a virus or a new kind of, you know, internet threat or something like that – you need to make some changes. And so make sure you update your risk analysis based on that.

Ensure that you've covered all the risks that you showed in your analysis

How can you be sure you really covered everything? Information security is one of these things that you can spend as much time or as much money on this as it exists. You can turn over every stone and look at, you know, for every little detail. How do you know when you’ve gone far enough?

It is a matter of making sure that you feel comfortable that you haven’t missed anything. And you really, as far as you know - how much detail you need to go into, how far you need to look, you know, how can you be sure you found everything.

You know, chances are by the time you're through with your risk analysis and your HIPAA risk assessment, somebody’s already doing something differently. That’s why, having some flexibility and some ability to follow up on these things is important. But, you know, you need to make sure that you do everything you can to talk to everybody who’s involved with the information. And make sure you ask all those follow on questions.

You know, if you don’t understand something that somebody said; or if you're not sure that you really covered all the bases, you know, ask again. And maybe ask somebody else that you didn’t interview if the information that you have really matches what their experience is.

And make sure you do talk with the people who really know what's going on, not just the managers and not just, you know, what somebody might say are the “key people”. But make sure, who has been there the longest and who really knows about the details.

And then, just really do your best to talk with everybody and follow down all the loose ends. You know, once you’ve done enough of these, you start to get the feel for when you're sort of reaching the end.

But as you go through one of these the first time, just make sure you, you know, look at your organization chart and make sure you covered all the departments. Make sure you know that everybody’s systems are in place. You got to get a list of systems from the IT department – they might have an inventory already of what all of your systems are.

Make sure you’ve talked to everybody who has some interaction with those systems. And make sure when you're talking to people that you're prompting them to give you the information that you need about all these systems.

Know more about HIPAA security standards; visit our HIPAA online training page.