As you are probably aware, the government has begun the first round of HIPAA compliance audits – these audits have included physician practices. So the million dollar question is: Is your medical practice really in HIPAA compliance? I find most are not even though they think they are.
A good first step to HIPAA compliance is to conduct an internal HIPAA risk assessment. At a minimum, a risk assessment must include these questions:
• What types of protected health information (PHI) do we possess, receive, store or transmit?
• How sensitive is this data in what it reveals about patient medical conditions, procedures, diagnoses and prescriptions? Data about sexually transmitted diseases, sexual health, pregnancies and mental health are considered especially sensitive.
• How valuable or desirable might this data be to criminals? Inclusion of social security numbers, mother's maiden names, home addresses, payment details and long-term medical history are considered sensitive because they can be used by criminals to commit financial and healthcare fraud.
• What steps and procedures are in place in our medical practice right now to protect the PHI we possess, receive, store or transmit?
• Finally, what additional steps, procedures, or technologies are necessary to bring our data protections into line with generally accepted information-technology standards or with National Institute of Standards & Technology (NIST)?