Nine Policies and Procedures for Compliance with HIPAA


November 5, 2013

HIPAA Compliance

The HIPAA Security Rule was enacted in 1996 by the U.S. Congress, designed to establish national standards to protect individuals’ electronic personal health information used and/or stored by a covered entity. The HITECH act states that all healthcare providers will be offered financial incentives for establishing meaningful use of electronic health records.

While HIPAA and HITECH have been around for a while, many healthcare providers and business associates fail to comply with the policies and procedures. Here are the top policies and procedures to ensure your healthcare organization follows:

Access Control Policy

Make sure your organization has adequate guidelines regarding which users’ are granted access to specific programs, equipment, and client data. In addition, be aware of how administrators are notified to disable accounts when necessary.

Assess Mobile Users

Within the healthcare industry, mobile devices are becoming more common as the industry converts from paper to electronic information. It’s important to develop a comprehensive security plan for remote access of ePHI, as well as an extensive mobile device strategy. It’s also a good idea to ensure administrators are able to remotely wipe devices, in the event of an employee leaving the organization.

Workstation Use Policy

There’s a few obvious basics when it comes to workstation use, including secure passwords, limited unsuccessful logins, and monitoring logins. However, healthcare organizations also need policies to cover basic security best practices, such as disallowing passwords to be shared or written down.

Software Update Policy

To avoid malicious attacks, you must document policies regarding the frequency of updating anti-malware and anti-virus software. In addition, develop a procedure to follow if an infection occurs.

Security Awareness Training

Healthcare organizations must ensure employees are trained regarding security on a regular basis. Training should include security updates and best practices. It’s important to keep documentation of your training and communications as well. The documentation will be helpful when you’re audited.

Backup and Disaster Recovery

Healthcare organizations must have a secure backup plan, as well as complete documentation of how you’re going to respond to emergency situations. In addition, test your backup and disaster recovery plan on a regular basis.

Equipment Disposal Policy

How an organization plans to dispose of old equipment and data is extremely important. Healthcare organizations must have policies and procedures in place, specifying exactly how all equipment will be disposed of and logged.

Update Business Associate Agreements

A HIPAA business associate agreement (BAA) is a contract between the healthcare organization and a HIPAA business associate (BA). The contract protects personal health information according to the HIPAA guidelines. The contract must include how the BA will report and respond to a data breach, including data breaches caused by the business associate’s subcontractors.

Review and Audit Procedures

Reviewing and auditing are very important parts of the process. Similar to any project, an organization must draft, review, edit, approve, audit, and communicate all policies and procedures. Healthcare organizations must maintain an audit trail/log that shows all of the procedures being executed properly and according to plan.

Of course, the policies and procedures mentioned above are simple starting points. For healthcare organizations or business associates looking for information regarding HIPAA compliance, please give us a call at (888) 330-8808 today. {Company} can help you review or set up your policies and procedures.

We're Integris. We're always working to empower people through technology.

Keep reading

Why Baltimore Businesses Are Turning to Outsourced IT Services

Whether you are a legal firm, manufacturing company, or digital marketing company, your business relies on technological infrastructure and security to maintain operations, market products, and secure customer information and data. While some businesses have the...

Integris: Top IT Service in Atlanta & Baltimore 2023

Integris: Top IT Service in Atlanta & Baltimore 2023

Here at Integris, we believe that the key to success is human-centered solutions. Coming together in 2021, we’re a young yet formidable team that’s committed to providing the best services from coast to coast. From cybersecurity monitoring to CISO compliance, our IT...

Understanding HIPAA

Understanding HIPAA

HIPAA stands for the Health Insurance Portability and Accountability Act. It was created in 1996 and implemented by the United States Department of Health and Human Services. It was designed to address the use and disclosure of an individual’s health information,...