Health Information Compliance Alert
Know the Facts on Hiring HIPAA Audit Help
PDF
Question: Our large, primary care practice takes HIPAA very seriously, and we do our best to maintain compliance with the rule. At our last planning meeting, we realized it’s time to do another annual HIPAA risk assessment. Since it is a requirement under the HIPAA Security Rule, should we hire an outside consultant to do the assessment and analysis or is it ok for our compliance officer or IT manager to perform the audit? South Carolina Subscriber Answer: No, it is not legally necessary to engage an outside HIPAA expert to perform your annual risk analysis. But that being said, it’s never a bad idea to have more than one opinion on ways your practice can decrease its chances of a violation. The size, scope, and specialty of your organization usually determines the necessity of an outside resource. But, if the same person who does the assessment manages the implementations both monthly and annually, it might be a good idea for a change. “I think it is good to engage an outside consultant, to ensure that those issues that staff may be blind to can be revealed,” advises Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC in Charlotte, Vermont. Sheldon-Dean adds, “But, reviews can also be internally directed, and it can be useful to have a mix, alternating reviews by internal or external parties, or alternating between two external parties.” An outsider can look at your practice challenges objectively and is more likely to call out issues that staff may purposely ignore, particularly as the majority of breaches are caused from insider threats. “I doubt that insider issues would affect the risk analysis, since the risk analysis will dictate what needs to be done for security, but leave the investigation of what’s gone wrong to the processes instituted according to the risk analysis,” Sheldon-Dean cautions. “Doing the risk analysis, whether by internal or external parties, will result in exposing the need to look for improper insider activity, which is a required but often ignored process.”
Health Information Compliance Alert
- Telehealth Services:
Feds Focus on the Evolution of Telehealth Post-COVID
Expect more changes in the coming months, too. If your organization has relied heavily on [...] - Congress Acts to Bolster Telehealth Long Term
As the Centers for Medicare & Medicaid Services (CMS) begins to put out policy proposals [...] - Policy:
Federal Agencies Collaborate to Thwart Telehealth Discrimination
New guidance offers tools to deal with telehealth inequity. The pandemic revealed systemic health inequities, [...] - COVID-19:
Feds Renew the PHE … Again
But: Don’t slack on compliance just because the PHE keeps getting renewed. If you were [...] - Reader Questions:
Safeguard ePHI from Unauthorized Disclosure With This Advice
Question: A provider in our practice informed us that they have been sending patient records to [...] - Reader Questions:
Know the Facts on Hiring HIPAA Audit Help
Question: Our large, primary care practice takes HIPAA very seriously, and we do our best to [...] - Reader Questions:
Boost Documentation Accuracy With This EHR Advice
Question: We’ve heard many warnings about the dangers of using EHR templates, but we aren’t sure [...] - Enforcement News:
OCR Continues to Focus on Right of Access Violations
If your patients ask for a copy of their medical files, you don’t want to [...] - Enforcement News:
Be Aware of Healthcare-Related Spoofing Schemes
If you or your patients get a call that shows up on caller ID as [...] - Enforcement News:
Weigh In on ONC’s Annual Update for Interoperability Standards
The HHS Office of the National Coordinator for Health Information Technology (ONC) is asking all [...]