Welcome to the February module of HIPAA MMM. As you complete each activity, please print and place the completed documents in your HIPAA Manual in a location you will remember and be able to easily locate if needed.
Instructions for the routine repeated monthly QUICK CHECK review audit
Monthly Quick Check Audit
It is advised that every month you do this same QUICK CHECK audit by using the following audit tool and place any written updates in your HIPAA manual – make sure to review the QUICK CHECK every month as items are added periodically based on changes in focus and enforcement activities within the federal government.
Below are the Instruction to correspond with each item on the Monthly Audit List;
1. If yes, perform a risk analysis for that device, as you did for the devices when you prepared your original risk analysis from the Survival Kit or by copying the format for the risk analysis used in the Silver or Gold program originally provided for you (you can also use your Survival Kit as a reference/templates) Add this newly prepared document to your HIPAA manual.
2. If yes, then remember to document what you did to assure that the device had no patient health information /electronic data remaining on it (i.e. had a service clean the hard drive, destroyed the hard drive, shredded information –if paper etc., at the time of disposition).
3. If yes, remember to have them sign an employee confidentiality form and assure that you perform a full HIPAA training within 45 days of hire.(Remember; You can use this training video Annual Staff Inservice or there is an audio training in the Survival KIT that can be paired with giving your new employee a copy of your office HIPAA policies and having them sign off that they agree to read, understand and abide by those policies to satisfy this training. Don’t forget to document this in your HIPAA manual.)
4-8. Regardless of the specific customized evaluation/review/audit you will perform THIS month, due to the increase in Ransom ware, it is advised to assure and document that all patches, updates, firewalls, antivirus, malware etc. are current and installed on at least a monthly basis.
9. Again, especially due to ransom ware, the required HIPAA contingency plan, most especially focused on the area of data recovery, has become a major center of attention. One of the key components is that your backups are readily available and your data can be restored in the event of an attack on your patient data that shuts down your main computers etc.
Monthly security reminder
Instructions:This months’ reminder will likely require modifications to fit the circumstances in your specific office. While you may need to eliminate some items, as they do not apply to your particular office, there may also be items to add.
Your monthly security reminder -for distribution to your workforce is provided-remember to document that you distributed such to all of your workforce including volunteers, part-time employees, family members who help out ‘here and there’, etc. etc. as this is a required component of the HIPAA law…” You must distribute periodic security reminders to your workforce”.
Activity for this month:
Download the document provided below AND Instructions to complete the audit for your Contingency Plan.
Remember all documents should be modified to fit your office needs and facts…there is very little guidance and therefore a great deal of latitude relative to developing a contingency plan. It is required that at least one time per year you have a table review of your process in the event of a disaster such as tornado, fire, explosion etc.
Much of the task this month may NOT be applicable to your office and you may have many procedures and process in addition to the plan presented. Please alter the task document as needed.
A contingency plan definitely must have data recovery and an emergency mode operation. Some offices may consider NOT having a significant emergency mode procedure if you do not have critical/lifesaving treatments being performed that would have to be continued under dire circumstances during a disaster, however we highly recommend that you have a complete contingency plan simply for business continuation issues. There are too often reports of doctors having their building burned down, flooded or destroyed by tornado only to find they cannot get ‘up and running’ in time to retain their patient base and ultimately going out of business