The intent of quality and safety programs is to evaluate and monitor performance and to improve results. Organizations develop annual quality and safety plans with measurable objectives that departments adopt and include as integral aspects of their performance improvement plans.
Q: I am familiar with the HIPAA Security Rule requiring information system review audits. Are there any HIPAA Privacy Rule requirements?other than to perform audits?that require the examination of inappropriate access for an alleged breach? Currently, our security team performs monthly information system review audits and issues reports to leadership on a quarterly basis. Will this suffice, or are there audits that the privacy team should perform as well?
Mobile devices have changed the way people share and access information in their personal and professional lives. Smartphones and tablets may make it easier and faster for people to communicate, store, and access information, but they present risks if lost, stolen, or hacked. This can be especially challenging in the healthcare industry as it has become common for providers to use various mobile tools, including smartphones, laptops, notebooks, tablets, phablets, personal digital assistants, USB devices, digital cameras, and radiofrequency identification devices, to communicate with colleagues and access applications.
Although numerous privacy and security laws apply to healthcare entities, HIPAA rules and requirements tend to receive the most emphasis?and generate the most angst. The terms HIPAA-compliant vendor, HIPAA cop, and HIPAA disciplinary action are anathema to experienced and serious privacy and information security professionals. HIPAA, as has been noted, represents the floor of requirements intended to protect the privacy and security of patient information. More stringent privacy requirements have existed at the state and national levels for several years before the HIPAA Privacy Rule was implemented (e.g., state medical records laws and requirements). Notably, many organizations implement policies and procedures that are more stringent than that required by HIPAA. Some of this is due to misinformation or misunderstanding of the HIPAA rules.
Small- to medium-size clinics often operate under the assumption that their outsourced IT shop or managed services provider (MSP) is providing a robust security solution, but this is not always the case. MSPs aren't necessarily falling down on the job, though; remember that just because something is outsourced doesn't mean the vendor will manage all of the risk. In the end, if you want additional services from your MSP, it costs money. RapidFire Tools® offers a solution MSPs can use to address risks that many small- to medium-size clinics may falsely assume are already managed.
