PHI Safeguard Compliance Requirements for HIPAA/HITECH and MU – Part 3


PHI Compliance Requirements Webinar Questions/Answers – Part 3

On July 30, 2014 we hosted a webinar event with national HIPAA expert, Edward Jones. The event attracted almost 800 registrants so naturally there were a ton of questions. We decided to share the Q&A with our entire audience in a four-part series. You can follow Ed on Twitter @HIPAAsafeguards.

Read Webinar Questions/Answers – Part 1
Read Webinar Questions/Answers – Part II

1.  How often are security risk assessments required for meaningful use?  Is it prior to each reporting period or prior to the reporting year? 

Answer:  A review of a risk analysis is required prior to each reporting period for attestation (as I indicated in the presentation on page 28 of the .PPTX presentation).  However, the security risk assessment is based on HIPAA regulatory references, so any material change in business or regulatory authority impacting security would require a review of the risk assessment and any change in mitigation of risk policies and procedures resulting from the change, as required by HIPAA.  In the absence of such HIPAA-related change, your organization would be required to conduct a review of the risk analysis prior to reporting attestation for Meaningful Use, as required under Meaningful Use rules.

2.  How different will a EP vs EH Security Risk Analysis be?

Answer:  This is really a question of scale.  A small EP risk analysis is less complicated than a large clinical analysis.  To the extent that EPs in a clinic are on one electronic system and in one facility, then the process will be easier than if they are on different systems and in different facilities.  The same applies to hospitals, which are complex organizations, frequently with multiple systems, different functional departments, and in more than one physical facility.  Many Administrative Safeguards can be applied across systems and facilities, but some differ by facility (e.g., disaster recovery plan and emergency mode operation plan).  Physical Safeguards are specific to an individual facility, and Technical Safeguards may differ across facilities or functional departments or may be the same.  HIPAA Safeguard requires as many separate units for purchase and download as there are different facilities, or in the case of a hospital, different functional departments on separate systems.  A purchaser must designate a separate covered entity/facility name or business associate/facility name for each.  Finally, a separate risk analysis must be conducted for each facility, and, in some circumstances, for each hospital department.

3.  Is there a more simplified version of the HIPAA Privacy & Security Assessment checklist for small MD practices – No IT Depts.

Answer:  My online, affordable, downloadable, user-friendly HIPAA Safeguard product provides in plain language, with guidance, references, and online links, the necessary information for any covered entity or business associate to achieve readily compliance with HIPAA Privacy and Security safeguards, HITECH Breach Notification requirements, and the Meaningful Use Security measure by linking it to the HIPAA Security Rule implementation specifications. HIPAA Safeguard was designed for self-assessment and includes how to conduct a risk analysis and sample policies and procedures that cover each implementation specification that can be tailored to a purchaser’s unique operational environment and implemented. These sample policies and procedures have been legally vetted to reflect the standard and implementation specification regulatory language and requirements, and, because they are electronic for easy download with the purchaser’s designated business name embedded in each, can be made accessible to each of the purchaser’s workforce members, as required by HIPAA. The value of this product is that it provides immediately accessible, documented evidence of each required safeguard policy and procedure, which, once implemented, removes the purchaser from mandatory penalties under willful neglect-not corrected, in the event of an investigation tied to a compliance audit or complaint or breach.

Our book, HIPAA Plain & Simple: After the Final Rule, 3rd edition, was written in plain language for medical practices, with an emphasis on small practices and what to do. There are checklists for implementation, but the reader must prepare and write its own safeguard policies and procedures. This book goes beyond Privacy safeguards to include a description of other Privacy provisions. You can purchase the book at Carolyn H. Hartley and Edward D. Jones III, HIPAA Plain & Simple: After the Final Rule. 3rd edition. Foreword by former HHS Secretary Louis W. Sullivan, MD. Chicago, IL: American Medical Association, 2014.

As an information source, you also may want to check out The Office of the National Coordinator for Health IT’s (ONC) March 2014 deployed Website entitled: Security Risk Assessment, which is available here.

Ed Jones is an author, and owner and CEO of Cornichon Healthcare Select, LLC, which provides consulting services pertaining to HIPAA/HITECH Act privacy and security compliance, and design of mobile strategies for healthcare transactions.  At Cornichon’s Website, at, Ed offers online privacy and security safeguard guidance and reference tools and policies and procedures for achieving compliance with HIPAA Privacy, Security, and Breach Notification Final Rule and Stage 1 and 2 Meaningful Use Security Measure compliance.