If you are a medical practice or an organization that handles sensitive information about patients’ health records, you must be familiar with how to become HIPAA compliant, or risk legal actions and fines. HIPAA security, privacy, enforcement and breach notification rules must be dissected in order to put a plan into effect to follow these rules. We at IPRO have compiled a list of 9 things your organization must do to maintain HIPAA compliance:
- Safeguard Workstations
Under the Physical Safeguards of Security Standards in HIPAA, workstations need to be protected in some way. All workstations with access to protected health information (PHI) must have safeguards implemented, which restrict access to only authorized users.
- Access Control
A unique user identification should be assigned for each individual in the network to track their identity. Electronic procedures can be put into place to end an electronic session after a set amount of inactivity time as well. For better control, an encryption and decryption mechanism should be implemented into the network with PHI.
- Security Management
A security management process must be established by first performing a risk analysis to determine where PHI is being used and stored to determine all the ways that HIPAA may be violated. Risk management must then be implemented with appropriate measures to lower these risks to a manageable level.
- Workforce Security
Procedures should be implemented for employee oversight, which means supervising and authorizing employees who work with PHI. It may also involve removing and granting PHI access to members of the practice. A consequence must be put into place that says unauthorized access will end in job termination.
- Security Awareness and Training
Send updates and reminders about privacy and security policies periodically to staff. Put procedures into place to protect against, report and detect harmful malware. Institute login monitoring reporting of discrepancies as well as procedures for changing, protecting and creating passwords.
- Audit Controls and Transmission Security
Use software, hardware and procedural systems that examine and record activity in information networks that use PHI. Put into play security measures that ensure electronically transmitted PHI is not wrongly modified without detection until disposed of.
- Media and Device Controls
Policies must be implemented regarding the final disposal of PHI, as well as the electronic media or hardware it was stored on. Records need to be maintained of the movements of electronic media and hardware. When re-using media, procedures must be implemented to remove the PHI from the electronic devices before re-use. A retrievable, exact copy of PHI must be backed up and stored before equipment is moved.
- Contingency Plans
Procedures must be put into place for restoring and retrieving lost data in the event of a disaster. The practice should implement testing and revising of contingency plans periodically. Put a continuity plan into place so that the organization can go on protecting the security of PHI when operating in emergency mode.
Regular evaluations must be performed to find out if any changes in your practice or the law require changes to HIPAA compliance procedures. If you are not up-to-date with these changes, you could face large fines.
At IPRO we are experts on HIPAA compliance. Contact us and we will answer any questions you may have about HIPAA and your company.