The HIPAA Security Rule was enacted in 1996 by the U.S. Congress, designed to establish national standards to protect individuals’ electronic personal health information used and/or stored by a covered entity. The HITECH act states that all healthcare providers will be offered financial incentives for establishing meaningful use of electronic health records.
While HIPAA and HITECH have been around for a while, many healthcare providers and business associates fail to comply with the policies and procedures. Here are the top policies and procedures to ensure your healthcare organization follows:
Access Control Policy
Make sure your organization has adequate guidelines regarding which users’ are granted access to specific programs, equipment, and client data. In addition, be aware of how administrators are notified to disable accounts when necessary.
Assess Mobile Users
Within the healthcare industry, mobile devices are becoming more common as the industry converts from paper to electronic information. It’s important to develop a comprehensive security plan for remote access of ePHI, as well as an extensive mobile device strategy. It’s also a good idea to ensure administrators are able to remotely wipe devices, in the event of an employee leaving the organization.
Workstation Use Policy
There’s a few obvious basics when it comes to workstation use, including secure passwords, limited unsuccessful logins, and monitoring logins. However, healthcare organizations also need policies to cover basic security best practices, such as disallowing passwords to be shared or written down.
Software Update Policy
To avoid malicious attacks, you must document policies regarding the frequency of updating anti-malware and anti-virus software. In addition, develop a procedure to follow if an infection occurs.
Security Awareness Training
Healthcare organizations must ensure employees are trained regarding security on a regular basis. Training should include security updates and best practices. It’s important to keep documentation of your training and communications as well. The documentation will be helpful when you’re audited.
Backup and Disaster Recovery
Healthcare organizations must have a secure backup plan, as well as complete documentation of how you’re going to respond to emergency situations. In addition, test your backup and disaster recovery plan on a regular basis.
Equipment Disposal Policy
How an organization plans to dispose of old equipment and data is extremely important. Healthcare organizations must have policies and procedures in place, specifying exactly how all equipment will be disposed of and logged.
Update Business Associate Agreements
A HIPAA business associate agreement (BAA) is a contract between the healthcare organization and a HIPAA business associate (BA). The contract protects personal health information according to the HIPAA guidelines. The contract must include how the BA will report and respond to a data breach, including data breaches caused by the business associate’s subcontractors.
Review and Audit Procedures
Reviewing and auditing are very important parts of the process. Similar to any project, an organization must draft, review, edit, approve, audit, and communicate all policies and procedures. Healthcare organizations must maintain an audit trail/log that shows all of the procedures being executed properly and according to plan.
Of course, the policies and procedures mentioned above are simple starting points. For healthcare organizations or business associates looking for information regarding HIPAA compliance, please give us a call at (888) 330-8808 today. {Company} can help you review or set up your policies and procedures.
