You have to look at risk and analysis which is kind of big picture of you and then risk assessment where you look at the individual pieces that each particular system in the information flow. It makes the decision about, is this proper behavior or not. Are we doing things as securely as we should or not?
And it's nice because the risk analysis helps give you some reason for making decisions to what to do first, because you can order things, whatever has the biggest risk involve, you're going to take care of that first. Or you may have some things that are relatively cheaper to take care that are of lower risk but they aren't expensive.
Stick into those two. But you intently have a bigger picture. You really have a hard time finding your problems and eliminating them so you don't have to worry about breach notification. That's the whole idea is to use a risk analysis to find your problem areas button them down and avoid HIPAA breach notification and ensure healthcare compliance.
HIPAA Training Tip: Six steps of security is to enumerate your systems, do your information flow analysis, do some risk analysis to find out where the overall risk points are, where you're have your risk points, then you can do some detailed risk assessment and then you can go ahead with the risk determination to decide which is the biggest risk and lesser risk and then make some decisions about that medication policy and procedures and get everything documented.
So your information flow analysis is really where you need to go to find all the places where you might lose your information, so you can avoid breach notification. You really have to ask a lot of questions because you talk with every department say, “Okay, what information do you get? Where is it go to? What system do you use? How does this information handled?”
When did this person takes it, did anybody take it home? Do they carry it in a certain way? Did anybody use a flash drive? (Did anybody used) laptop? Who should you be able to access and for what kind of computer, things like that. There's lots of questions you can ask. But it'll help you understand what information you have and where is it going and what's happening to it?
And if you're lucky, you wind up with the picture that's probably easier to read in this one here. But this is 100 years ago. It still applies today. If you look and see, wherever there's a box or an arrow that's a potential risk point. It just starts at the top. There are records coming in from all over the hospital system. Those are coming in by a various means.
But if it's coming in electronically, is that computer secured properly? Is that communication link secured properly? If there's physician who's over in the right hand side, who is logging into information remotely to see what's going on about their patients? What kind of computer that's being done with? Do they have any PHI on their laptops? Is somebody carrying something on a memory stick.
Maintain healthcare compliance as all these areas or things you have to look help get better idea on what is secure. But whenever you find the information that's when you need look at the HHS guidance to say, “Okay, what can we secure if possible?” and use the Breach Notification Guidance Health and Human Services because that will tell you again what is security information because once it's secured it's not subject to breach notification. So get it secured if you can and use the HHS guidance at that link.
For expert training sessions on HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Business Associates Rule, HIPAA Audits & Enforcement, and others, visit healthcare compliance page.