Understand HIPAA Privacy and Security Rules, and how they apply to your organization.
 |
| By: Tod Ferran |
SEE ALSO: What Are Addressable HIPAA Requirements?
What you might not consider is the more technical side of HIPAA, which contains rules about protecting patient data through the use of ‘reasonable and appropriate’ technologies. These technologies consist of firewalls, disk encryption, remote access, two-factor authentication, internal/external vulnerability scans and other applications and systems that may be required for your unique environment.
So, has your office implemented or considered technological safeguards? Many think they have…until a breach or audit provides an expensive education.Tweet
TweetPrivacy vs. security
The healthcare industry is extremely familiar with the HIPAA Privacy Rule, but the same rules, regulations and policies that regulate privacy do not necessarily extend to the Security Rule. The Security Rule revolves around safeguarding the systems that house or transmit electronic PHI, and has many technical requirements that even competent IT departments may not be qualified to complete.SEE ALSO: Balance Mobile Convenience and PHI Security
While policies generated by lawyers or CPAs that outline data safeguarding practices are essential, the implementation of those policies is even more important. A policy itself doesn’t cover a business from the effects of data loss or breach, but through policy implementation, an organization stands a much better chance against data thieves.
Because HIPAA security rules and their implementation process require advanced and technical knowledge, many responsible for HIPAA do not know where to begin.
HIPAA compliance best practices
Here is a list of recommendations I usually give to small healthcare practices regarding their HIPAA compliance. Following the tips on this list will help you avoid potential audits, patient data compromise, or breach fines.- Acknowledge that you may not have the required training or time to pursue true HIPAA compliance. Find a provider and advisor who can personally guide you through the process.
- Identify the person who holds assigned responsibility for the HIPAA Security Rule in your organization. If you don’t have someone, assign a HIPAA Security officer to be company liaison to the HIPAA advisor.
- Conduct a preliminary risk analysis to discover the security risks at your organization
- Mitigate the findings of the preliminary risk analysis
- Create a detailed PHI data flow diagram and/or description
- Perform a full risk analysis with input from both internal and external resources
- Update your current policy and procedure documentation and ensure employees are appropriately trained
- Set HIPAA requirement goals and milestones
- Implement the plan and begin improving your security profile
Did this post help you? If so, please share!
Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plan support, and performs HIPAA and PCI compliance audits. Check out his other blog posts.