By Diane Evans
In last week’s issue, we discussed the critical role of risk assessment in identifying vulnerabilities to private data held within long-term care. As a starting point, we offered senior leaders a to-do list of duties to assign out.
This week we will focus on the optimum outcome of a risk assessment, both for good business and also to meet requirements under the Health Care Portability and Accountability Act (HIPAA). In short, risk assessment is about accounting for all your data, and then having systems in place to manage that data to the best of your ability on a daily basis.
Your Risk Assessment should achieve the following:
Risk Assessment
An enterprise-wide Risk Assessment plan is developed to evaluate the security of private information, both physical and electronic, in all places throughout the organization where it is created, maintained, received and transmitted.
An inventory of private information is documented as well as a workflow analysis of information by department.
The Risk Assessment occurs annually and the responsibility of it is assigned to specific leader(s).
Risk Mitigation
Identified risks are evaluated as part of a Risk Mitigation Plan to determine how these risks should be remedied or eliminated.
Responsibilities for mitigating risks are assigned to specific leader(s).
Policies and Procedures
A Risk Assessment policy is documented, and outline how Risk Assessment is to be conducted by the organization.
A Risk Mitigation and Risk Management policy is included within the organization’s Policies and Procedures.
Routine Management
A Data Security Plan, emanating out of risk assessment, becomes a blueprint managing and improving data security within your organization.
Risks are addressed, starting with the highest priorities, with new assessments and updates as needed.
Progress in implementing the plan is evaluated on an ongoing basis.
Arguably, the long-term care sector faces the greatest challenges of all in managing data security, given that data tends to be scattered in many places.
Risk assessment becomes a way to account for all this information, bring vulnerabilities to light, and inform a working plan for systematic management of data security.
About the author
Diane Evans is founder of Guarded Edge, which offers training and an in-house implementation plan for compliance with the Health Insurance Portability and Accountability Act (HIPAA) within long-term care. Diane can be reached at devans@guardededge.com. She has offered accredited training for state and national organizations, including the Health Care Compliance Association and the Cleveland Metropolitan Bar Association.
#Data ManagementLong-termCare
#Data SecurityLong-termCare
留言