HIPAA– it’s got teeth now

Posted 7 July, 2007 in EHRs, HIPAA

teeth.jpgWithout enforcement (including audits and levied penalties), laws are essentially meaningless. In en effort to prove that the HIPAA regulations were meant to be both read and obeyed, the Department of Health and Human Service (HHS) has begun to audit medical institutions. They started this March with Atlanta’s Piedmont Hospital. I think this is great, because up until now, EHR companies and the like have been able to claim HIPAA compliance without any proof. Now is when the truth will come out.

Piedmont Hospital was given ten days to provide policies and procedures addressing the following 24 areas:

  1. Establishing and terminating users’ access to systems housing electronic patient health information (ePHI).
  2. Emergency access to electronic information systems.
  3. Inactive computer sessions (periods of inactivity).
  4. Recording and examining activity in information systems that contain or use ePHI.
  5. Risk assessments and analyses of relevant information systems that house or process ePHI data.
  6. Employee violations (sanctions).
  7. Electronically transmitting ePHI.
  8. Preventing, detecting, containing and correcting security violations (incident reports).
  9. Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
  10. Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
  11. Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
  12. Physical access to electronic information systems and the facility in which they are housed.
  13. Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals’ databases that house ePHI data?).
  14. Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software.
  15. Internet usage.
  16. Wireless security (transmission and usage).
  17. Firewalls, routers and switches.
  18. Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
  19. Terminating an electronic session and encrypting and decrypting ePHI.
  20. Transmitting ePHI.
  21. Password and server configurations.
  22. Antivirus software.
  23. Network remote access.
  24. Computer patch management.

How would your EHR institution do on this quiz?


NAVIGATION

Powered by AccordingToME.

Health Blogs - BlogCatalog Blog Directory Blog Directory Blogarama Globe of Blogs Blog Listings All-Blogs.net directory blog search directory