The Rheumatologist
COVID-19 News
  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed
  • Home
  • Conditions
    • Rheumatoid Arthritis
    • SLE (Lupus)
    • Crystal Arthritis
      • Gout Resource Center
    • Spondyloarthritis
    • Osteoarthritis
    • Soft Tissue Pain
    • Scleroderma
    • Vasculitis
    • Systemic Inflammatory Syndromes
    • Guidelines
  • Resource Centers
    • Axial Spondyloarthritis Resource Center
    • Gout Resource Center
    • Psoriatic Arthritis Resource Center
    • Rheumatoid Arthritis Resource Center
    • Systemic Lupus Erythematosus Resource Center
  • Drug Updates
    • Biologics & Biosimilars
    • DMARDs & Immunosuppressives
    • Topical Drugs
    • Analgesics
    • Safety
    • Pharma Co. News
  • Professional Topics
    • Ethics
    • Legal
    • Legislation & Advocacy
    • Career Development
      • Certification
      • Education & Training
    • Awards
    • Profiles
    • President’s Perspective
    • Rheuminations
    • Interprofessional Perspective
  • Practice Management
    • Billing/Coding
    • Quality Assurance/Improvement
    • Workforce
    • Facility
    • Patient Perspective
    • Electronic Health Records
    • Apps
    • Information Technology
    • From the College
    • Multimedia
      • Audio
      • Video
  • Resources
    • Issue Archives
    • ACR Convergence
      • Systemic Lupus Erythematosus Resource Center
      • Rheumatoid Arthritis Resource Center
      • Gout Resource Center
      • Abstracts
      • Meeting Reports
      • ACR Convergence Home
    • American College of Rheumatology
    • ACR ExamRheum
    • Research Reviews
    • ACR Journals
      • Arthritis & Rheumatology
      • Arthritis Care & Research
      • ACR Open Rheumatology
    • Rheumatology Image Library
    • Treatment Guidelines
    • Rheumatology Research Foundation
    • Events
  • About Us
    • Mission/Vision
    • Meet the Authors
    • Meet the Editors
    • Contribute to The Rheumatologist
    • Subscription
    • Contact
  • Advertise
  • Search
You are here: Home / Articles / Legal Updates: Tips for Protecting Your Patients’ Health Information

Legal Updates: Tips for Protecting Your Patients’ Health Information

December 18, 2019 • By Steven M. Harris, Esq.

  • Tweet
  • Email
Print-Friendly Version / Save PDF

Steps Toward Compliance

Taking proactive measures now is the most effective way to minimize unauthorized uses or disclosures of PHI. At a minimum, your practice should:

You Might Also Like
  • Legal Updates: Healthcare Data Privacy and Security under HIPAA
  • Avoid Data Breaches, HIPAA Violations When Posting Patients’ Protected Health Information Online
  • Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties
Explore This Issue
December 2019
Also By This Author
  • Are Your Ads Violating the Law?
  • Nominate a privacy officer and security officer to be responsible for overseeing the development, implementation and maintenance of privacy policies and procedures for safeguarding PHI;
  • Develop and implement a robust set of HIPAA policies and procedures;
  • Regularly conduct a thorough review of existing HIPAA policies and procedures, and confirm those policies and procedures have actually been implemented and are effective. A written policy serves no purpose if it is not working or has not been implemented;
  • Train workforce personnel on your policies and procedures and on common security incidents. Educate your workforce on how to identify a ransomware or phishing attack, and what action to take in the event of such an attack;
  • Assemble an incident response team (IRT) and involve legal, IT and human resource representatives, among others;
  • Draft an incident response plan (IRP). This will be your go-to document in the event of a breach. It should identify the IRT and clearly describe the decision-making process when handling security incidents;
  • Test your IRT and IRP. This can be done by educating personnel and then testing your IRT on HIPAA compliance requirements. In addition, pose hypothetical security incidents to the IRT and have the team follow the IRP. Once completed, revise the IRP to overcome any shortcomings noted during the hypothetical scenario; and
  • Perform a risk assessment, including penetration testing, of your computers, devices and electronic health record software.

Steven M. Harris, Esq.Steven M. Harris, Esq., is a nationally recognized healthcare attorney with McDonald Hopkins LLC. Contact him at [email protected].

ad goes here:advert-1
ADVERTISEMENT
SCROLL TO CONTINUE

 
 

Create an Incident Response Team & Plan

HIPAA requires all covered entitities—no matter how large or small—to plan how they would respond to security incidents (i.e., how they prepare for incidents, detect and analyze incidents, and respond to incidents). However, the scope of an incident response plan (IRP) will vary based on the organization size, and a smaller organization may have a less involved IRP (fewer decision makers, etc.), but it must still have some sort of IRP.

ad goes here:advert-2
ADVERTISEMENT
SCROLL TO CONTINUE

The first step: You must identify the members of your incident response team (IRT). Security incidents affect almost every component of an organization, and failure to properly manage an incident can result in both long- and short-term consequences. For that reason, the team should include executive decision makers in the following areas:

  • Legal;
  • Information technology;
  • Risk management/insurance;
  • Human resources;
  • Marketing;
  • Public relations; and
  • Compliance and internal audit;
    • Physical security;
    • Other executives, as appropriate;
    • Third-party response services (e.g., forensics, privacy counsel, notification).

Small practices may not have personnel dedicated to each of these functions and may need to assign one person to cover multiple areas. Example: If your practice doesn’t have a dedicated marketing and public relations staff member, your office manager may be the best person to represent those functions on the team. Once your IRT is assembled, you should get to work on your IRP.

Pages: 1 2 3 4 | Single Page

Filed Under: Legal Tagged With: HIPAA, protected health informationIssue: December 2019

You Might Also Like:
  • Legal Updates: Healthcare Data Privacy and Security under HIPAA
  • Avoid Data Breaches, HIPAA Violations When Posting Patients’ Protected Health Information Online
  • Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties
  • Preparing for Increased HIPAA Audits Among Smaller Rheumatology Providers

Meeting Abstracts

Browse and search abstracts from the ACR Convergence and ACR/ARP Annual Meetings going back to 2012.

Visit the Abstracts site »

ACR Convergence

Don’t miss rheumatology’s premier scientific meeting for anyone involved in research or the delivery of rheumatologic care or services.

Visit the ACR Convergence site »

Simple Tasks

Learn more about the ACR’s public awareness campaign and how you can get involved. Help increase visibility of rheumatic diseases and decrease the number of people left untreated.

Visit the Simple Tasks site »

The Rheumatologist newsmagazine reports on issues and trends in the management and treatment of rheumatic diseases. The Rheumatologist reaches 11,500 rheumatologists, internists, orthopedic surgeons, nurse practitioners, physician assistants, nurses, and other healthcare professionals who practice, research, or teach in the field of rheumatology.

About Us / Contact Us / Advertise / Privacy Policy / Terms of Use

  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed

Copyright © 2006–2022 American College of Rheumatology. All rights reserved.

ISSN 1931-3268 (print)
ISSN 1931-3209 (online)