Staying Independent...Together

Print Message

   RE: HIPAA Security Rules
 From: Peter Liepmann
 To: Member Forum
 Posted: 07-15-2017 20:19
 Message: Hi Jim,

Suggest you do a search on these fora on "HIPAA". HIPAA compliance means the practice followed a process to assess risk, not that they're using, or not using,  a particular product or method. CMS website is helpful, esp the FAQ for profs.

The FPM article was fairly reasonable.
If you look at it, the most common problem was the practices hadn't done a risk assessment. That's a violation.  But not using encryption (eg) is not a violation, if you've done an assessment and concluded it's more onerous than it's worth.

common problem areas with respect to Security Rule compliance:

  • Nonexistent or incomplete SRAs,

  • Lost or stolen media storage devices containing unencrypted ePHI – including laptops and thumb drives,

  • Improperly configured appointment calendars, which are publicly searchable online.

In many cases, the covered entities that have made these errors also fail to implement effective policies and procedures to detect, prevent, contain, and correct security violations."

The only weird thing with the cloud is you need a specific BAA, not just the cloud's usual security measures which are usually far in excess of what you need.  ONC has gotten weird on this, insists on a document labelled "BAA".

Peter Liepmann MD FAAFP MBA
My mission is to fix US health care
Bakersfield CA
Original Message:
Sent: 07-14-2017 15:28
From: Jim Bloomer
Subject: HIPAA Security Rules


Am switching from a server based EMR to a cloud based EMR.  Do those on the cloud have any special in-house security measures etc.  An IT person is suggesting that a "windows domain" or "windows work group" is not HIPAA compliant.  Do practices have a  HIPAA security rules document in place? Does anyone know of a template? There is an article in the FPM Journal recently...looks fairly onerous....



Jim Bloomer, Exeter, NH.

Copyright 2016 Ideal Medical Practices. All rights reserved.