Your Ergonomic Software Solution

What is an Employer to Do?

A key element – and the logical first step – of privacy and security compliance is an assessment on the current compliance status of the covered entity (which is likely to be an employee benefit plan). This assessment can be facilitated by an information flow chart that tracks how protected health information is used and disclosed and for what purpose.

For privacy, the covered entity's policies, procedures, and actual practices should be compared to the specific HIPAA requirements of the Privacy Rule. From there, appropriate policies, procedures, and practices should be implemented, which will include training of workforce and the creation or amendment of existing documents (including plan documents).

For security, the covered entity (or the employer/plan sponsor on behalf of the covered entity) should perform a risk analysis, which is an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information held by the covered entity. The covered entity can use its information flow analysis to help identify various risks and vulnerabilities to information that it possesses or that flows to or from the covered entity. A fairly basic approach is to identify each risk and then attribute a number for the likelihood and the impact of the risk. For example:

Risk Level Matrix

Risk Level Matrix

Accordingly, if a risk seemed highly likely and presented a high level of impact, then a "9" would be assigned. These risks would be the first needing to be addressed in the risk management stage. If, however, a risk has a low probability and, even if it were to come to fruition, would have a low risk, then a "1" would be assigned. The areas of the risk analysis would include, at a minimum, the standards and implementation specifications provided in the Security Rule.

The next step is for the covered entity to engage in risk management, which entails implementing security measures sufficient to reduce security risks and vulnerabilities to a reasonable and appropriate level.

These pages provide general information and are not intended to be legal advice.

« A Little About HIPAA ErgoStat Can Help »