HIPAA On-Site Assessment Review for Small Medical Practices
With all the attention that is paid to HIPAA compliance for hospitals, medical plans and other larger health care providers, we at The Saturn Partners do not believe enough attention is being paid to the real need by smaller medical practices (50 employees and under) for onsite review and HIPAA compliance audit assistance covering items in the HPAA rules concerning privacy and administration areas. Here is what The Saturn Partners can offer your small medical practice to assist your staff in staying on top of the latest HIPAA/HITECH standards developments:
- Inspection of Office/Facility Environment. The approach to be used is to examine where information is stored, where the access is located of computer equipment used to store PHI, and location of hard copy PHI such as paper files or other filed documentation. We take the viewpoint of a government HIPAA auditor and follow proper guidelines to maximize levels of security regarding storage methods of this confidential information.
- Review of Security Policies: One critical area of security vulnerability in storage and use of PHI involves the existence and relevance of network and physical security policies, regularly updated and reviewed at least annually, to satisfy requirements under the HIPAA/HITECH security rules. Review looks to ascertain that the policies are relevant as far as proper content, outlining all safeguards recommended or required by HIPAA to ensure security breach risk is minimal. We will revise security policy for your office, if need be, to be sure policies on file reflect proper content under HIPAA.
- Managerial Interview: Here is where we talk with you about your managerial practices in handling employee training regarding proper HIPAA guidelines and make recommendations in our report about this important issue to be sure both new hires and existing employees are aware of their individual responsibilities involving everything from verbal communication, to proper handling of patient related paperwork and filing of insurance claims to be certain policy is in place or needs to be constructed by us to meet proper HIPAA guidelines.
- Employee Interviews: We conduct these while onsite, if physically possible, (if not, by phone) to ascertain from individual employees their beliefs, practices and level of knowledge about handling both ePHI and physical PHI. If your policies don’t dictate it now we generally want to develop a short questionnaire on PHI handling measures and guidelines to with which to test existing employees’ knowledge of HIPAA PHI protection measures. This can be used as a “test” for new hires before proceeding past training into handling PHI on their own.
- Review of Disaster Recovery/Business Continuity Plan: This should be a part of your set of security policies in place. Our experience shows us that most small offices don’t have one. This is both for your ePHI and PHI, in case of fire, flood, breach or any other element which could tamper with or destroy precious patient records. We review what you have or advise on what you should. The construction of this plan is beyond the scope of this review audit but we can quote the work if you need a plan from scratch. If you have one we review it for soundness and compliance; it should be tested in some capacity every six months. We also look at your vendors for emergency backup, power source and other recovery tools to be sure they are accessible in a disaster situation.
- Review of Vendor Agreements: This is a very important area, as we review policy and procedures for allowing of vendor access to ePHI and PHI, with an eye on the HIPAA/HITECH rules under “Safe Harbor” and “Business Associate Agreements.”
In addition to this helpful onsite review, The Saturn Partners can also write and test network security policies, disaster recovery plans and conduct full vulnerability assessments to directly address the security rule under the HIPAA guidelines.