The OP Review November 2005 - Ohio Psychological Association

More documents

Recommendations

Info

HIPAA – Secure at last! A Review of the Practice Organization’s Compliance Workbook By Charles Cooper, PhD, North Carolina Psychological Association Professional Affairs Director B y the time you read this, the compliance deadline for the HIPAA Security Rule will be behind you, like a channel buoy just past to starboard. Mixing metaphors with abandon—you will either be reading this with that smug sense of having completed all your homework, or with that attitude you typically adopt when you come to class with a light backpack, homework incomplete. In the interest of transparency, my typical attitude is one of blame. I generally blame someone else. In this case, Congress. Though blame, by and large, works for me, in this case it has only slowed me down. And as the Sole Security Officer (the S.S.O.) of my practice, that has not been a good thing. The HIPAA Security Rule itself is quite complex, more so in my view than the Privacy Rule. (Ironically, though, the action steps required for compliance are actually rather simple—with proper technical assistance.) And I had been waiting for the APA Practice Organization’s “compliance product” to ease the process. The product was put up on the Practice Organization’s Web site on April 12 and was definitely worth the wait, and not only for the excuse its release date provided. The Workbook The Workbook resides exclusively in online form, which can be reached through the APA Practice Organization’s Web site at www.apapractice.org. For APA members who pay the practice assessment, the cost is $99; for non-practiceassessment APA members, $139.; for nonmembers, $159. The time saved in using the Workbook will be a number of hours at least, and this alone justifies its price. As a bonus, the successful completion of its associated online exam earns four continuing education credits. The Workbook begins with a crisp overview of the Security Rule, laying out concepts essential to understanding the structure and content of the rule. For those who have taken the “101” courses or read the Practice Organization’s Primer, also available from its Web site, this material will be a comprehensive review. For those approaching compliance for the first time, it will serve as a sufficient conceptual map for your Security Rule implementation. After it sets out the concept-base, the Workbook gives a “Process Overview” that outlines the step-wise progression for compliance with each standard and implementation specification of the rule. Specifically, the workbook provides a stepby-step path for: • Evaluating security risks in your particular practice (the risk analysis) • Deciding how to respond to those risks by checking-off sets of options • Documenting all decisions and their rationales • Creating customized policies and procedures that flow from the options you selected As the authors’ note, completion of the component sections does take considerable time. However, the product of this invested time is a printable document that serves as the record of your compliance efforts. It spares you any additional time in creation of a paper trail to certify that the HIPAA required activities were completed. Contents The Workbook’s operational section has four principle headings: • Assigning a Security Officer • Securing Your Office • Securing Your Computer • Securing Your Workforce and Administrative Policies. Each of these sections includes brief descriptions of “standards” and “implementation specifications” (IS)—the real guts of the rule. The workbook then proceeds to walk you through a separate risk analysis for each standard and/or IS. The risk analysis is facilitated by the posing of a set of key questions that, while not exhaustive, generally cover the territory of the standard. Your responses to the questions identify not only threats, but also the adequacy of measures you have already taken. Your answers, recorded in text boxes, lead directly to the “Compliance Options” section, which offers standard check-off alternatives (and space for customized solutions) for risk abatement. These check-offs cleverly link to the final policies and procedures document, saving hours of word processing. Following from the “Compliance Options” is a section titled, “Sample Documentation” that guides you through documenting your rationale for compliance decisions. JUNE 2005 10
This section is particularly helpful for “addressable specifications,” which you may choose not to implement but must explain why. And, especially for small practices, there is serviceable suggested language that can be cut and pasted into your own final documentation. After completing the (many) iterations of risk analysis/option selection/documentation for each standard and implementation specification, you will be tired. However, relief comes in reviewing the draft policies and procedures document which has been compiled automatically in the workbook’s background as you have been laboring on the earlier sections. This does need to be edited before being downloaded in a printable and electronically storable PDF format. As such it is your principal documentation for compliance. The Workbook also has a score of other labor saving features, including a set of compliance resources such as business associate contracts, Security Rule documents (e.g., security logs and reporting forms), technical resource guides for securing computers, and sample emergency operations and disaster recovery plans. Summing up Compliance with the Security Rule is like Edison’s take on invention. It’s 99 percent perspiration, and that’s especially so if you have a trusted computer consultant to answer the pesky questions unique to your practice. The best thing about the Practice Organization’s Workbook is that it nearly eliminates the need for that inspiration part. Having struggled for months to understand and eventually to teach HIPAA Security, it was a great relief for me to realize, as I perspired through the workbook’s online exercises, that I did not have to continue any more of that squirrel cage activity of trying to figure out just exactly how to organize my compliance task. That was all done for me by the structure of the Workbook—especially its step-wise risk analyses and its compliance options for each standard. I could now just relax and mindlessly follow the path they laid out. In the process, I was surprised by several dangers posed by the Workbook’s risk analysis sections that I had not previously entertained. I can guarantee you will discover some angles you had not anticipated. And perspiration Even just cutting, pasting, and lightly editing the suggested language into the little text boxes that eventually become your PDF documentation file for the 18 standards and 34 implementation specifications is a lot of work. But to repeat, outside of the process steps and documentation requirements, the actual action steps to secure EPHI are neither complicated, expensive, nor terribly time consuming. Reprinted from “The North Carolina Psychologist” (May-June 2005) with permission from the North Carolina Psychological Association and Dr. Charles Cooper. Copyright 2005 NCPA. OPA REVIEW 11
Page 1 and 2: REVIEW OHIO PSYCHOLOGICAL ASSOCIATI
Page 3 and 4: Ohio Psychological Association PAC
Page 5 and 6: SOPP Faculty, Students, Provide Men
Page 7 and 8: Meet Your 2005-06 OPAGS Executive C
Page 9: OPA REVIEW 9
Page 13 and 14: Internet access was rated the highe
Page 15 and 16: progress): This research covers a l
Page 17 and 18: called “Helping Your Child Deal w
Page 19 and 20: Welcome to the following new OPA me

The OP Review November 2005 - Ohio Psychological Association

Create successful ePaper yourself

Delete template?

Save as template?