Request demo Call athenahealth Menu

Demystifying HIPAA and the Security Risk Assessment

by Steven Marco, President, HIPAA One

As a business owner, my professional conversations with physicians run the gamut, from how my business services can solve their problems, to exchanging ideas and best practices, and offering support in starting and growing a business. I get the feeling that physicians running a medical practice often feel like they have a target on their back because staffing, management, regulations, documentation, and reimbursement have become such big parts of medicine. 

Building a business requires tremendous time, money and effort in order to become profitable.  The compliance landscape shifts and evolves.  Today, a HIPAA Security Risk Analysis has become paramount for almost any medical practice to collect state and federal reimbursements.  An often overlooked benefit, however, is the Security Risk Analysis, which can improve the efficiency and professionalism of these same practices.  

But how does complying with HIPAA help?

First, HIPAA Security is greatly misunderstood.  HIPAA was originally conceived because patients were not able to access their own health information.  Today, HIPAA enforcement is the main driver to ensure we don’t mishandle or otherwise treat patient’s protected health information (PHI) with neglect—willful, or not.

Many practices believe that if they complete a quick checklist or perform a risk assessment with an auditor on the phone and get a final report, they are done and have “checked the box.”    Like doing a fast tax-return, this quick approach diminishes the value of HIPAA. If embraced, HIPAA’s Security Risk Analysis checklist of best practices provides ongoing benefits, such as:

Staff moral:

  • Policies and Procedures establish a code of conduct on how staff should represent the clinic in day-to-day interactions with patients. 
  • Guidance on handling patients, staff, processes and technology provides operational clarity
  • Assurance that the IT department makes Electronic Medical Records available (e.g. performance, backups and recovery), complete, accurate and confidential.
  • A clear baseline on how to handle all aspects of patient releases, authorizations, business associates and internal operations.

Technology:

  • One aggregated place for information about patient visits can contribute to population health research and disease management.
  • Encryption of laptops, desktops, smartphones and all portable media can reduce the risk of having to report a breach by up to 68% (according to OCR breach data for theft, loss and improper disposal).
  • Meaningful Use provides incentives and ongoing reimbursements (soon to become MACRA).

Clinic appearance:

  • Staff attire, name badges and a proper patient waiting area separate from the clinic complies with HIPAA and improves the professional look and feel of the clinic.
  • Training and employee awareness reinforces policies and procedures which drives improved moral and reduces risk to the clinic.

The Bottom Line:

Conducting a HIPAA Security Risk Analysis covers Administrative, Technical and Physical (PAT) safeguards and provides a snapshot into where the clinic is performing well and where improvements are needed.  If a HIPAA Security Risk Analysis is the snapshot, then the “moving picture” is the ongoing process of improving gaps in compliance, not only to reduce the chances of a security breach but also to improve the efficiency of the healthcare office.   For a quick 5-minute assessment, take our high-level HIPAA Security Assessment quiz and see how your practice fares against the top 13 most overlooked items.

Take the quiz, and the results say it all: You likely need help. 

If you’re an athenahealth client, join Steven Marco, President of HIPAA One; Rich Devlin, CEO of Sentry Healthcare Informatica; and Jonathan Seery, of the athenahealth Meaningful Use Performance team for a webinar on Wednesday, June 29th at 1pm EST covering:

  • The history of HIPAA and the SRA requirement
  • What makes an SRA successful and audit-proof
  • What you can do NOW to kick off your SRA and ensure compliance

athenahealth clients, click here to register for this event.

Steven Marco is President of HIPAA One.  He has helped over 1600 sites become compliant with the HIPAA Security Rule with a 100% success-rate responding to Audits using the HIPAA One Software program.  With over 20 years of experience as a Certified Auditor, Steve holds a Bachelor’s Degree from Ryerson University in Computer Information Systems Management and Corporate Law.

View full profile and posts from author

Cloudview Blog

Ideas, insights and analysis to help physicians, medical groups and health systems stay informed and profitable in today's challenging health environment.

Latest from Twitter

Post your comment

These security checks help us prevent unauthorized access to your account.

Schedule an inside look

Thanks for your interest in athenahealth. We're excited to learn more about your practice.

* All fields required

We will never share your email without your permission. View our Privacy Policy or Terms Conditions.

Submit
close

Thanks! We'll be in touch soon!

In the meantime, please feel free to give us a call at 800.981.5084, explore the site or check out a video.

close

An error occurred

Please feel free to give us a call at 800.981.5084.

close
Request a live demo