HHS SPI (SECURITY AND PRIVACY INITIAL INQUIRY)
This week concludes part B of the Security and Privacy Initial Inquiry (SPI) and is much shorter than the preceding sections (phew!). This section deals with data protection for the IDD Workforce in the work place, safeguards and practices.
As usual, we must point out that these blogs/articles (including those relating to the SPI and DUA series) are informational. It is the reader’s responsibility to read the root documents for themselves and/or seek understanding and clarification from appropriate experts in the field. We’re excited to announce that Focused Software now offers ancillary consulting services to help you navigate your regulatory questions – call and ask!
For any questions answered “No” an Action Plan for Compliance with a Timeline must be documented in the designated area below the question. The timeline for compliance with HIPAA-related requirements for safeguarding Protected Health Information is 30 calendar days from the date the SPI form is signed. Compliance with requirements related to other types of Confidential Information must be confirmed within 90 calendar days from the date the SPI is signed.
The HHS IDD Operations Portal is in the beta testing phase! Make sure that your client forms are securely stored, easily retrievable and in an electronic format that allows you to send documents through the Portal without hunting for paperwork and printing reams of paper!
#2. Does Applicant/Bidder have a current Workforce training program?
Discussion: Training of Workforce must occur at least once every year, and within 30 days of date of hiring a new Workforce member who will handle Texas HHS CI. Workforce includes you, your employees, your subcontractors, your volunteers, your trainees, and any other persons under you direct supervision. We can help with training guides, assessments, questionnaires, and other tools for training – call and ask.
Training must include:
(1) privacy and security policies, procedures, plans and applicable requirements for handling Texas HHS CI,
(2) a requirement to complete training before access is given to Texas HHS CI, and
(3) written proof of training and a procedure for monitoring timely completion of training.
#3. Does Applicant/Bidder have Privacy Safeguards to protect Texas HHS CI in oral, paper and/or electronic form?
Discussion: The “Privacy Safeguards” standard assures the privacy of PHI by requiring covered entities to reasonably safeguard PHI from any intentional or unintentional use or disclosure in violation of the Privacy Rule. The safeguards requirement, as with all other requirements in the Privacy Rule, establishes protections for PHI in all forms: paper, electronic, and oral. Safeguards include such actions and practices as securing locations and equipment; implementing technical solutions to mitigate risks; and workforce training.
The Privacy Rule’s safeguards standard is flexible and does not prescribe any specific practices or actions that must be taken by covered entities. This allows entities of different sizes, functions, and needs to adequately protect the privacy of PHI as appropriate to their circumstances.
This means protection of Texas HHS Confidential Information by establishing, implementing and maintaining required Administrative, Physical and Technical policies, procedures, processes and controls, required by the DUA, HIPAA (45 CFR 164.530), Social Security Administration, Medicaid and laws, rules or regulations, as applicable.
#4. Does Applicant/Bidder and all subcontractors (if applicable) maintain a current list of Authorized Users who have access to Texas HHS Confidential Information, whether oral, written or electronic?
Discussion: A current and accurate list of all staff (including direct care), subcontractors, vendors etc with access to a provider’s CI must be kept at all times. This is an essential item. A part of any employee termination procedure should include immediate denial of access to CI as well as removal from the Authorized Users list.
#5. Does Applicant/Bidder and all subcontractors (if applicable) monitor for and remove terminated employees or those no longer authorized to handle Texas HHS CI from the list of Authorized Users?
Discussion: This is referenced above and, again, is critical. Focused Software gives you an easy one step inactivation so you can deny access to individuals who have lost Authorized User status in seconds!
Stay tuned – remember Focused Software is here for you! Our blog next week will cover section C of the SPI. Contact us today – we’ll be happy to provide a free, no-obligation demonstration of the Focused Software Electronic Health Record, discuss provider operations and brainstorm with you so you feel confident complying with the SPI and DUA requirements.