EVERYDAY TIPS FOR PASSING A RISK ASSESSMENT

1. For a start follow the guidelines and rules set by HIPAA.

2. Keep all paper Medical Records under lock and key and make sure non-authorized personnel have no access to it.

3. Destroy any paper records which are passed their required storage date or digitized and no longer needed.

4. Install an antivirus and firewall software on all your PCs and Laptops and also on your internal network. If possible keep only limited internet access on your internal network.

5. Computers should not be facing the waiting room or any direction where non-authorized people can view it, use password locks when away.

6. Always log out of the EHR system when leaving the computer.

7. Do not use social security numbers as a unique patient identifier.

8. Patients have the right to revoke access to any Health Information Network your practice may be part of. Ensure you have proper written consent/consent forms filled when sharing information with anyone.

9. Change your passwords as mandated by the Guidelines. Ensure that passwords are not exchanged or written/posted in places where other can see. An employee of the practice making such a mistake can have big repercussions for the whole practice.

10.  Portable hardware containing data should be kept secure and locked away when not in use.

11. All hardware should be kept in a clean environment and with minimum or no access possible to non-authorized personnel.

12.  Train all staff members on data security policies and procedures. Make sure everyone in the practice understands and observes the policies and procedures for protecting patient health information.

13. Make sure your staffing policies and procedures are up to date. If an employee leaves the practice, change the user’s status to inactive.

14. Review audit trails periodically. Reviewing audit trails can alert practices to potential system abuse or misuse.

15. Have a disaster recovery procedure. Accidents happen, stuff breaks, the weather isn't always cooperative. You need to be prepared for everything that happens.

16.  Make sure your data is backed up every day.

17. The computer that stores the patient data must be encrypted.

18. The server should be kept in a locked room with limited access.

19. Keep a list of third party vendors that interact with your practice. Make sure they sign a NDA or some kind of agreement that states the third party vendor won't disclose any information in your practice.

20. Designate someone as a "security officer" or someone who is in charge of making sure the practice is HIPAA compliant.

21. All employees should be wearing badges or something that identifies them as someone that works for the practice.

22. Train the staff on proper internet use. Going to non-work related sites is incredibly risky.

23. If a patient's name is stored somewhere that is not in an EHR system, there cannot be anything that identifies that person as a patient.

24. If flash drives or any external data device is used in the practice, make sure that device stays within the practice and only plugs into computers that are owned by the practice.

25. In the event that your computer shows signs of being infected, stop what you're doing and tell the security officer right away.

26. Flash drives or external media that was found on the ground should never be put into your computer. Who knows what is on that media.