Are you compliant?
It’s become a cliché to say that HITECH has given HIPAA teeth, but it’s true. Audits have begun and so have the fines (for large and small companies alike). What follows is a list of 10 sets of policies/procedures that companies falling under HIPAA regulations MUST have. In fact, these are things that all organizations should have anyway.
- Physical Security Policies
- Access Control
- Workstation Use Policies
- Security Awareness
- Security Software
- Disaster Recovery
- Risk Analysis
What is HIPAA?
HIPAA (the Health Insurance Portability and Accountability Act) mandates the use of computers and patient privacy when dealing with patient data and information. These standards ensure the data will be transmitted on a standard that patient privacy and information is secure and within guidelines established for this act.
Security Standards should be put into place that help to prevent, detect security events and allow for the correction of HIPAA Security violations.
Companies and hospitals need a Risk Analysis so the vulnerabilities and possible risks can be evaluated. This ensures that the integrity and confidentiality is maintained. With this in place, companies can then look in to Risk Management to help reduce the risk of exposure of their records. With these two critical items in place, employees should be trained and informed of any repercussions of failure to comply with these rules.
After setting the aforesaid policies in place, a review of the policies and procedures should take place. This includes the auditing of servers, workstations, logs, reports and any reports.
The information below is a partial list and description of different areas needed to protect data and information involving HIPAA. Links following this information gives more information on the standards required to meet HIPAA standards.
Organizations should assign a security analyst, or a security officer to help identify who is responsible for maintaining and enforcing the HIPAA standards within the organization. This assignment ensures the quality of the standards set forth by the organization
Organizations should ensure that training is implemented and carried out to all employees. Decisions should be made on employee access and rights to individual and key records. This includes information on how employees have access to records, and which supervisors can give, modify, or take away access to records.
Security Awareness and Training of Workforce
Organizations should provide a training program to raise awareness of HIPAA rights. Every individual in the organization must be trained on a regular basis (including all management personnel). Training should be provided to include employee awareness, password safeguarding and changing, workstation access, software use, virus and malware information and other mission critical operations.
Records and Information Access
Policies should define roles on who can have what access to programs and information. These policies should further define the roles in information technology of the IT personnel who have the rights to modify the access.
Policies and procedures should be implemented to include incident response. This information should be used to identify security incidents and how to respond to such incidents. The security officer for the organization along with management should evaluate the effects of any incidents. Documentation of any incidents should be made along with the outcomes for the possible modification of the policies along with the ending result of the incident to prevent any further incidents.
Contingency and Emergency Operations Plan
Policies and Procedures should include the Disaster Backup and Recovery plan to ensure the business can continue operations in the event of a disaster. This information includes the team that keeps the business going, recovering lost data, testing of backup procedures and replacement of equipment.
Hardware, Software and Transmission Security
Organizations should have a hardware firewall in place along with professional versions of operating systems. Transmission of personal information should be encrypted and comply with HIPAA rulings. Operating Systems should be hardened and up to date. Policies should cover the updating of hardware, hardware firmware, software, operating systems and applications. Data integrity control should be in place for data and data transmission.
HIPAA IT compliance is primarily concerned with ensuring all the provisions of the HIPAA Security Rule are followed and all elements of a HIPAA compliance checklist are covered. Risk assessment and management is a key consideration for HIPAA IT compliance. HIPAA IT compliance concerns all systems that are used to transmit, receive, store, or alter electronic protected health information. Any system or software that ‘touches’ ePHI must incorporate appropriate security protections to ensure the confidentiality, integrity, and availability of ePHI.
Email is just one of many areas in which potential lapses in security exist. Emails containing PHI that are sent beyond an internal firewalled server should be encrypted. It should also be considered that emails containing PHI are part of a patients’ medical record and should therefore be archived securely in an encrypted format for a minimum of six years. Finally, as medical records can attract a higher selling price on the black market than credit card details, defenses should be put in place to prevent phishing attacks and the inadvertent downloading of malware. Several recent HIPAA breaches have been attributed to criminals obtaining passwords to EMRs or other databases, and healthcare organizations can mitigate the risk of this happening to them with a web content filter.