HIPAA Omnibus Final Rule Questionnaire

Please fill form out to assess your risk of a HIPAA violation.

Do you have your current Business Associate Agreements (BA’s) modified as of September 22nd 2014?

§164.308(b)(1): Business Associate Contracts and Other Arrangements -“Covered entities must enter into a contract or other arrangement with persons that meet the definition of business associate. The covered entity must obtain satisfactory assurance from the business associate that it will appropriately safeguard the information in accordance with §164.314(a)(1) standards.

Does your organization have a documented Breach Notification Security Policy?

§164.404 (a) Notice to Individuals -“A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used or disclosed as a result of such breach. The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.”

Do you have a HITECH 13407 Security Incident Report?

§164.308(a)(1)(ii)(D): Security Management Process – “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Do you have an Information System Activity Review?

§164.308(a)(1)(ii)(D): “ Security Management Process - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Are your devices encrypted that house or see ePHI?

§164.312(a)(2)(iv) Access Control - “Inquire of management as to whether an encryption mechanism is in place to protect ePHI. Obtain and review formal or informal policies and procedures and evaluate the content relative to the specified criteria to determine that encryption standards exist to protect ePHI.”

Has your Annual Risk Analysis for your internal office network been performed?

164.308(a)(1)(ii)(a) “Security Management Process - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”

Do you currently employ some type of auto logoff on your desktops, laptops and tablets?

§164.312(a)(2)(iii): Access Control - “ Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Do you have a Sanctions Policy to reflect employee sanctions for breached PHI?

§164.530(e)(1) - Administrative Requirements -A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart.”

Does your email exchange comply with HIPAA / HITECH regulations?

§164.312(e)(1) Transmission Security - “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”

Are you using a commercial security firewall with advanced firewall capabilities and VLAN tagging?
Are your computers and other devices running commercial quality anti-malware and anti-virus software?
Is your Device Change Management Tracking Log current with all active PHI Devices?
Have you transitioned to ICD-10 codes?

“Everyone covered by HIPAA must use ICD-10 starting October 1, 2014. This includes health care providers and payers who do not deal with Medicare claims. Organizations that are not covered by HIPAA, but use ICD-9 codes should be aware that their coding may become obsolete if they do not transition to ICD-10.”

What does a Risk Assessment involve?

• Identify and Document all ePHI repositories
• Identify and document potential threats and vulnerabilities to each repository
• Assess current security measures
• Determine the likeness of threat occurrence
• Determine the potential impact of threat occurrence
• Determine the level of risk
• Determine additional security measures needed to lower of risk
• Document the findings of the risk assessment

Contact us at 877-794-3811 or [email protected] for Professional IT Support

get in touch