1. I heard that the first step to HIPAA compliance is a risk analysis. What kinds of risks do I have to consider in the analysis? When completing a HIPAA risk analysis, you need to consider the following threats:
• Natural threats such as floods, earthquakes, and tornadoes
• Environmental threats such as power failures and chemical or liquid leakage
• Intentional and illegal threats such as eavesdropping, snooping, fraud, theft, and vandalism
• Accidental threats such as input errors and failures to update software
• External threats such as malicious cracking, demon dialing, and viruses
2. If we use email, patient portals, file sharing, and shared office calendars, do we need to implement HIPAA Security Safeguard for these programs and applications? Yes, if you store, transmit, input, or access client information via email, patient portals, file sharing, or shared office calendars, these programs and applications along with the devices that employ these programs and applications, including desktop computers, servers, tablets, laptops and smart phones, must be built-into your HIPAA compliance program.
3. What types of HIPAA training do I have to provide to my staff? As part of your HIPAA compliance program, you must provide initial training to your existing staff and any new staff members regarding your office’s HIPAA policies and procedures. In addition, you must provide ongoing annual training and security reminders to your staff.
Have other questions about HIPAA compliance? Let's us know your questions!