By Diane Evans
Given the growth projections in long-term care – coupled with ongoing consolidation – it’s worth discussing the privacy and data security implications of new acquisitions.
The size of an acquisition doesn’t matter in terms of triggering required action under the Health Care Portability and Accountability Act (HIPAA). In fact, any change that affects private data requires a risk assessment of that which has changed. Examples include:
The opening of a new or remodeled facility;
An acquisition deal;
A new technology purchase or any change to existing IT.
The task: Thoroughly check the safety of all new or altered places where private information is maintained, created, received or transmitted.
Here are some points to keep in mind:
Start with a scope of work, and include any new third-party vendors with potential access to private information.
Assign roles and responsibilities, and categorize risks by priorities.
Remember to check configurations on any new equipment, including copiers and fax machines, to make sure privacy settings are activated.
Be sure to have a Change Management policy in place that meets HIPAA requirements.
Action Item for Long Term Care Executives: Refer to this federal report on change management. Visit our website to learn more about our ABC’s to HIPAA Compliance guide, which include resources for change management implementation.
Comments