The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and its business associates conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk.
For more information click here.
On January 25, 2013, the HIPAA Omnibus Rule was published in the Federal Register to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Breach Notification and Enforcement Rules. The Omnibus Rule also created changes for the Genetic Information Nondiscrimination Act (GINA). It must be said that there was not much new in Omnibus Rule, in general the document combined, specifies and provides detailed description of previously available texts. The document consists of over 500 pages, but we’ll provide you with brief overview. Summary of the document by HHS:
'This omnibus final rule is comprised of the following four final rules:
Break the fatal sequence!
Of course, after conducting assessment providers must implement appropriate procedures or develop policies. Understanding of the rules and finding the solution could be a tough task, so ONC, HHS and other organizations developed some tools and created some guides to simplify this. One of your assistants is SRA Tool.
Security Risk Assessment Tool (SRA Tool)
The SRA Tool is an independent application that can be run on Windows desktop and laptop and Apple iOS for iPad only. This tool is not required by the HIPAA Security Rule, but is meant to assist providers and professionals as they perform a risk assessment. The tool will take you through several questions, where you have to answer “yes” or “no”. There are 156 questions in total. The tool will also show you explanations or recommendations.
The tool serves as your local repository for the information and does not send your data anywhere else.
The detailed user guide is available here
There are other guides and useful templates that can help you to be in compliance with HIPPAA requirements and better understand the rules. Visit the page to read more.
Examples of administrative, physical and technical safeguards questions from Risk Assessment.
For sure, you could have some questions in your mind regarding the HIPAA rules, which you never got a direct answer. For example:
Question: May physician's offices use patient sign-in sheets or call out the names of their patients in their waiting rooms?
Answer: Yes. Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). See 45 CFR 164.502(a)(1)(iii).
There is a big F.A.Q. on web – check it, it is possible that your question was made and the answer was given.