John’s Note: One of the requests I got in the recent survey I did was to cover more details of HIPAA. So, I’m glad to have John Brewer (yes, another John) providing some guest posts on the subject.
Do they go together like peanut butter and jelly? Cookies and milk?
Nothing quite as good as these…but they do go together…now.
HIPAA has been around for some time. Many argue that HIPAA has no “teeth”. Sure it has big fines…but when’s the last time you heard of a physician getting fined for a HIPAA violation?
In steps Meaningful Use.
Buried in the details of the Stage 1 Core Objectives is a single block that refers to the seemingly innocuous statement of “Conduct a risk analysis per 45CFR164.308(a)(1)”.
A risk analysis seem simple enough…right?
Dig a little deeper and you’ll see something a bit more unpleasant. 164.308(a)(1) requires the following:
- Risk analysis – clear enough…
- Risk management – with reference to 164.306(a) – Uh oh…
- Sanction policy
- Information System Activity Review
Whew…now it is starting to get ugly. Where shall we start?
As usual, I like to go from easiest to most difficult.
The easiest thing to tackle here is the Information System Activity Review.
This is a mouth full, but your shiny new Meaningful Use certified EHR will have a report for this, which will cover most of this requirement.
In order for this report to show information that is useful, you need to ensure you have setup the users in your EHR in the correct way.
By this I mean:
- Each user must have their own login,
- Each user must only have access to the areas of the EHR that are appropriate for their position,
- By this I mean, the front desk “receptionist” should only have access to the calendar section of the EHR, whereas a nurse would have full medical record access.
Next time we’ll attack the Sanction Policy.
John Brewer is the founder of HIPAAaudit.com. He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.