For health care providers, although complex, compliance with HIPAA is especially important. The federal government can impose severe sanctions on organizations found in violation of HIPAA. Federal regulations for meaningful use and MACRA/QPP also require participating providers to perform a security risk assessment each year to be eligible for incentives or bonuses.
The Kentucky REC can help with navigating HIPAA’s requirements to safeguard the confidentiality, integrity and availability of patient information. We offer two services to aid health care organizations: Security Risk Analysis and Project Management services.
For more information on these services, click the boxes below or contact the Kentucky REC today.
WEEKLY HIPAA TIP
HIPAA Privacy & Security: Contingency Planning Series – Part 4
Assigning personnel roles and responsibilities in the Contingency Plan
Under the HIPAA Security Rule, Covered Entities and Business Associates must implement policies and procedures to ensure that all members of its workforce have role-based access to electronic protected health information, and to prevent those workforce members who do not have access from obtaining access to electronic protected health information. Key activities for meeting this standard can include:
- Define roles and responsibilities for all job functions.
- Assign appropriate levels of security oversight, training, and access.
- Identify in writing who has the business need, and who has been granted permission, to view, alter, retrieve, and store ePHI, and at what times, under what circumstances and for what purposes. (NIST-800-66 Rev 1, 4.3)
Things to consider:
- Who needs access to ePHI in the event of a natural or man-made disaster?
- Who should be responsible for implementing the Contingency Plan?
- Who may need access to the office to help restore lost data?
Check out our Weekly HIPAA Tips next week for Part 5 of this series.
This reminder is part of a series of HIPAA Security Reminders from the Kentucky Regional Extension Center. These reminders can be used by covered entities and business associates looking to comply with the HIPAA Security Rule’s CFR §164.308(a)(5)(ii)(A), which states, “Security reminders (Addressable). Periodic security updates.”
Feel free to share this with your workforce/staff to remind them of the importance of safeguarding protected health information (PHI), especially PHI that is in electronic form (ePHI). A new security reminder is posted at the beginning of each week. If you have any questions or would like to speak to someone at the REC about HIPAA Privacy and Security please contact us at Kentucky REC or call (859) 323-3090.