Need help with HIPAA reviews? A new tool can help
A new tool for ODs and other providers sheds light on the importance of conducting risk reviews on protected patient information.
The Health Insurance Portability and Accountability Act (HIPAA) requires that certain "covered entities" do regular reviews or risk assessments on the safeguards they use to ensure the security of this information.
"Many believe a breach will never happen to them."
Optometrists who transmit any information in an electronic format-such as transferring a claim to Medicare or other payers-are considered "covered entities" under HIPAA. A security risk assessment is also required of providers participating in the Medicare and Medicaid EHR Incentive programs. To assist smaller and medium-sized practices with these reviews, the U.S. Department of Health and Human Services (HHS) on March 28 released a new security risk assessment (SRA) tool.
According to an HHS press release, "the tool is designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations."
It takes providers through each of HIPAA's requirements, asking more than 150 questions. According to the SRA's website, a "yes" or "no" answer will indicate if a provider needs to take corrective action on a particular requirement.
Providers can apply for the tool online. Application for the tool is available at the following link. There is no charge to apply or use the tool.
A risk assessment helps avoid potential breaches in patient health data and other adverse security situations by detecting vulnerabilities in a provider's security system or policies.
ODs think breaches "will never happen"
Jason Miller, O.D., a partner in a three-doctor private practice in Powell, Ohio, sees the tool as a positive development. Dr. Miller has consulted with the AOA as one of the "ask the coding experts" on a variety of coding, medical records concerns and HIPAA issues.
Not many ODs fully understand the significance of risk assessment-or know where to start, he observes. "Many believe a breach will never happen to them." In his view, educational tools and online resources could help save ODs some time and make the process easier to figure out. The SRA website specifically offers tutorial videos and a user guide for providers.
With so many offices adding computers and changing companies they do business with each year to comply with meaningful use certification of EHR requirements, "this SRA needs to be evaluated and continually tested to ensure our patient's data is protected at the highest level," he says.
One problem doctors have been grappling with on meaningful use compliance is they may not have a record of completing an SRA in the event they get audited. The tool helps solve this issue by producing a report that can be given to auditors.