Breach Notification Advice Offered
If you haven't checked out the North Carolina Healthcare Information and Communications Alliance web site, you're missing out on a wealth of free resources for those involved in risk management.
The site now features an updated version of a risk assessment tool to help hospitals, clinics, insurers and other covered entities determine whether to report a breach incident to comply with the HITECH Act's breach notification rule.
The tool includes an extremely detailed, step-by-step checklist to help organizations determine if a breach poses a "significant risk." And that's helpful, given that federal regulators are largely leaving it up to healthcare organizations to determine if the risk involved merits notification.
The breach rule's "harm threshold" provision has proven controversial, with some privacy advocates arguing that it gives healthcare organizations far too much latitude in choosing what breaches to report.
To prepare for the task of measuring the risk posed by a breach, healthcare organizations must "create a well-defined risk analysis process," says Tom Walsh, president of Tom Walsh Consulting LLC, an Overland Park, Kan.-based firm specializing in healthcare data security issues. "Now is the time to get that done."
The alliance's updated risk assessment tool will come in handy for this effort. The group also offers reports offering guidance on writing business associate agreements, managing information on portable devices and other timely topics.
The not-for-profit consortium, designed first and foremost to help North Carolina healthcare organizations adopt I.T., deserves credit for offering advice of value to facilities from coast to coast.