Policies And Procedures To Have In Place

Under the HIPAA Security Rule, the following items, within the three listed categories, are expected to be present:

  1. Administrative Safeguards - These are the policies and procedures designed to show how an entity complies with HIPAA on the administrative level.
  • Covered entities must have a written list of privacy procedures and select a privacy officer, who will be responsible for implementing these procedures.
  • In the case of management oversight, there should be a procedure in place for a buy-in to compliance, as dictated by the documented security controls.
  • Procedures should lay out everyone who has access to Electronic Protected Health Information (EPHI) as a necessary part of their job.
  • The procedures should also clarify authorization, establishment, modification, and termination, when it comes to PHI.
  • There must be evidence of an ongoing training program with regard to those handling PHI.
  • Covered entities must make sure all businesses with which they deal also comply by the necessary safeguards (through contracts), as well as making sure those parties only deal with other HIPAA-compliant entities.
  • There must be a proven contingency plan in the case of emergencies. Covered entities must back up their data and provide evidence of a disaster recovery procedure. The plan should be continually updated to reflect ongoing data prioritization, system failures, security assessments, etc.
  • There should be regular, internal, documented audits within covered entities.
  • There must be a plan in place for responding to any security breach that might arise during an internal audit, or simply during day-to-day procedure.

2. Physical Safeguards - These safeguards protect the actual physical process of handling information and data.

  • The introduction and disposal of hardware and software over open networks must be carefully monitored.
  • All equipment containing any sort of PHI must be carefully monitored, with restricted access.
  • Only authorized individuals may have access to hardware and software.
  • There must be facility security plans in place, up-to-date maintenance records, and a sign-in/escort process for every visitor on the premises.
  • Workstations should be treated appropriately, with information not visible in high-traffic areas.
  • All contractors must also be aware of and comply with these physical safeguards.

3. Technical Safeguards - These safeguards refer specifically to the sharing of communications electronically in order to ensure they cannot be intercepted by outside parties.

  • Systems with PHI must be secure against intrusion. When sharing information over networks, information must be encrypted.
  • Entities must ensure data has not been tampered with.
  • Further technical safeguards may be used to protect authentication.
  • Covered entities must be certain of the authenticity of those with which they communicate.
  • Covered entities must provide documentation of HIPAA practices so the government may determine compliance (see below for more information).
  • The documentation of IT should incorporate a record of configuration settings on the network.
  • Risk analysis and risk management programs are mandatory and must be available through documentation.

For medical practices, preparing for an audit involves being able to provide the following upon request:

  • Having all the proper and aforementioned documentation on hand.
  • Proof that the EHR system in place for meaningful use is certified.
  • Documentation that all data is correct.
  • Proof that a security risk assessment took place and physical evidence of a corrective action plan.