Doctor's Life Magazine, Tampa Bay Doctor's Life Tampa Bay Vol. 1 Issue 6, 2013 | Page 19

Conduct a thorough security risk assessment Identify risks, threats and vulnerabilities Monitor Results »» »» »» »» »» Develop Remediation Plan Mitigate risks, threats and vulnerabilities paper charts (where and how they are stored) medication closest or cabinet and locks laptops and workstations patient and visitor logs internal separation between front office and back office These are all areas that you will need to review as part of your thorough evaluation. Administrative safeguards that need to be reviewed include your policies and procedures. This is an area that is often overlooked. Having a policy or procedure in place does not meet the regulatory requirements. You should have a documented, written policy, backed up with standards and procedures that all employees understand. Per HIPAA, there are numerous requirements that must be met and each one of these criteria has specific implementation requirements that must be documented. Your workforce clearance policy may say how you provide clearance to your employee. It must also include whether or not you complete background checks, what type of check you do, whether your re-screen and how frequently you do so. The policies and procedures you have in place will guide how you protect PHI. When reviewing your technical safeguards, please keep in mind that some of these will also be covered in your administrative safeguards - including your information security policies. Please keep in mind that of all the new threats that evolve on a daily basis from viruses, malware and the like, you also need to take the human factor into consideration. Phishing is growing more and more prevalent and you must inform your workforce on these threats and how to handle them appropriately. You must also monitor your logs, keep up to date with security updates, patches and antivirus. Encryption is a critical concern for Stage 2 of Meaningful Use. Of the breaches that have led to large fines over the last few years, nearly all of them included an unencrypted piece of machinery and failure to com