We will not become your IT consultant; we work with you and your current IT consultant to implement the best possible security for your practice. We will work with you and your administrative staff to ensure that you understand the issues that relate to your physical location and how that might be a threat to your data security. We work with your office administrative staff to ensure that your entire staff is properly trained and that they understand their responsibilities under the HIPAA rule.
Working with your staff to ensure that everybody understands the nature and importance of the HIPAA rules is one of the most important services that we provide. A large number of HIPAA breaches are the result of human error, far outpacing HIPAA incidents caused by failures in IT security. Part of the HIPAA risk assessment is looking at the risks that exist to your data, understanding which risks are most likely to result in a breach and addressing those risks in the order in which they are most likely to happen.
We also pay attention to IT issues, but the point is we understand where the weakest links are in most practices and focus on closing the security gaps that are most likely to be exploited. To determine what risks exist in your practice we need to ask a number of question:
- What can go wrong?
- How many patients will be impacted if it goes wrong?
- How will this affect our patients?
- How will this affect our practice?
- What will it take to implement steps to stop this from happening?
During this process we work hand in hand with your practice to ensure you understand the steps that are being taken, and why. Our method empowers you to constantly be aware of the HIPAA security implications of each and every decision that is made in your office. This allows your practice to participate in a Continuous Quality Improvement program on a daily basis.
We work with your office to complete an audit of the readiness of your practice to prevent a HIPAA incident. By involving your staff in the audit process you staff becomes more educated about the HIPAA regulations. We then review the findings of the audit and provide your office with a list of the risks that we have identified that are of the highest probability based upon the likelihood of the risk being exploited, the number of patients that could be impacted if the risk were exploited, the amount of harm that would occur if the risk were exploited, and the resources necessary to prevent the risk from being exploited. You will then be empowered to implement the risk mitigation steps identified.
We never provide services to implement the steps we recommend. That would be a conflict of interest, and we feel it is inappropriate to recommend services that we provide. In this way you can rest assured that each and every recommendation is in the best interest of your practice, and we derive no financial gain from your expenditure to implement these measures.
We can assist with identifying other providers who can implement the steps we recommend, and we have a strict policy of not entering into financial relationships with any of these entities. That being said we do have relationships with a number of EHR vendors who recommend our services. Practices who have software from a vendor with whom we have a relationship enjoy a discount on our services. We neither offer commissions nor have a financial relationship with these EHR vendors.