What is a Risk Assessment and why do I need to do one every year?
HIPAA rule 25 requires that every practice perform a risk assessment at least every two years. Further clarification by the OMB has mandated that annual reviews be done. A risk assessment is the process of looking at your practice and determining the types of controls necessitated by law to protect the e-PHI (Electronic Protected Health Information) and PII (Personally Identifiable Information) present in your practice. This can be an expensive proposition, which is where TLD Systems can help you – we are specialists in HIPAA Risk Assessments and strive to make our services affordable for the sole practitioner and the small practice.
Each industry has specific regulations and requirements. HIPAA is specific to the Health Care Industry and we specialize in assisting small practices with their HIPAA Security Program. If your practice accepts Credit Cards, you also want to be compliant with the PCI standard. This is the standard that is utilized for protecting financial information.
When you think about threats from the perspective of HIPAA you must look at the threats with respect to:
• Availability of your data (you can access it)
• Integrity of your data (you are sure that what is there is what you put there and nothing else)
• Confidentiality of your data (nobody else can see it)
When you select TLD Systems to assist your practice with your risk analysis, you are selecting an organization that understands the workflow of your practice and that can become a partner in assisting you in implementing a “Culture of Compliance” in your medical practice.
The HIPAA regulations require your practice to implement safeguards to protect the data in your office that are reasonable based upon your resources. Our focus is to assist small practices. TLD Systems was founded by Dr, Michael Brody, a sole practitioner runs his own small practice and as a result we strive to insure that we help small offices to meet the HIPAA Security Standard. This also means that we speak “Medical Office” -- we understand how medical practices operate and reality of the business this is a small practice. While other organizations may be able to fluently speak the other security standards doctors need to deal with, we are able to speak more important acronyms including:
• ICD 10
• EHR and
You may see other standards referenced at web sites that talk about security. Those Standards include:
• NCUA – National Credit Union Administration
• OCC – Office of the Comptroller of Currency
• GLBA – The Gramm-Leach-Biliey Act
• ISO 27001 – The data security standard from the International Standards Organization
• SOX – The Sarbanes Oxley Act of 2002 and its data security rules
• FFEIC – Federal Financial Institutions Examination Council
• PCI DSS – Payment Card Industry Data Security Standard
While these standards are important, they are not our focus and we do not provide consulting or support to meet these security standards. We are HEALTH CARE focused and HEALTH CARE specific. Our program is based on 45 CFT Parts 160, 162 and 164, the HIPAA Security Standard.