HIPAA and HITECH have been around for quite some time. Even so, many companies covered by these laws are way behind the times when it comes to actual implementation. And when you really think about it, even companies not covered by these laws should have the requisite policies and procedures in place.
- Access Control Policy. How are users granted access to programs, client data and equipment? Also includes how administrators are notified to disable accounts when needed.
- Workstation Use Policy. Requiring secure passwords, monitoring logins and limiting unsuccessful logins are just a few of the basics covered. Policies also need to cover basic security best practices such as not allowing passwords to be written down or shared with others.
- Security Awareness Training. Organizations must ensure regular training of employees regarding security updates and what to be aware of. You must also keep an audit trail of your reminders and communications in case you’re audited.
- Malicious Software Controls. You must have documented policies for the frequency with which anti-malware and antivirus software are updated and what happens if an infection/outbreak occurs.
- Disaster Recovery Plan. How you respond to emergency situations (of all shapes and sizes) must be fully documented and tested regularly. A full Disaster Recovery Plan is something our company can help you with.
- Media Disposal Policy. How do you dispose of old computer equipment and data? You must have policies and procedures in place that cover exactly how all equipment is properly disposed of and logged.
- Review And Audit Procedures. There’s much more to HIPAA compliance than the 6 items discussed here; however, be certain also that whatever you do has a firm audit trail/log that shows that everything has been executed according to plan.
These are just starting points. If you’re subject to HIPAA or just want to make sure that your company is covered by these simple best practices, contact our office and we’ll be happy to review these areas with you.