HIPAA’s Security Rule requires that all covered entities designate one person or a security official to look into the development and implementation of policies and procedures that safeguard electronic protected health information. As such a official, one needs someone who understands clinical and billing workflows, recognizes that in the past some clinicians have communicated with patients via unsecure email such as AOL, Yahoo!, and Comcast, and also is skilled at shouldering broad responsibility while delegating assignments.
Before entrusting someone with the security of your health information, you need to conduct a risk assessment to determine the practice’s security safeguards and vulnerabilities.
For going through your risk assessment, assign a value from 1 to 5 for each risk. For risks which are low, but still receive attention, assign value ‘1’. A risk with rating ‘5’ could mean events, such as theft, breaking into the offices, fire, weather damage, has happened at least once, and is likely to happen again.
For those risks given a 3 or 4 rating, assign an owner or owners to manage those risks. HIPAA’s physical safeguard standard, (45 CFR 164.310{b}) requires that you implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation that can access electronic protected health information.
You not only want to safeguard protected health information, you also want to safeguard your investment. The owners of this physical safeguard could be a lead physician, a nurse, and a lab technician.
