If you are a hospital, emergency medical clinic, dental office, nursing home or other health-related entity, you are required by law to have a specialized IT risk assessment performed to satisfy the requirements of HIPAA – The Health Insurance Portability and Accountability Act.
So, too, are the companies that do business with these entities, including IT service providers, shredding companies, documents storage companies, attorneys, accountants, collection agencies, and many others.
We want to make the compliance less complicated for your business.
Our goal is to help Reduce Risk, Solve Business Problems and Build Trust!
HIPAA Consideration Questions:
When preparing for compliance, asking the following questions will be beneficial towards preparing the correct strategy for compliance.
- Do you have policies and procedures requiring safeguards to limit access to those persons and software programs appropriate for their role?
- Do you analyze the activities performed by all of your workforce and service providers to identify the extent to which each person needs access?
- Do you have policies and procedures for the assignment of a unique identifier for each authorized user?
- Do you know the encryption capabilities of your information systems and electronic devices?
- Do you have audit control mechanisms that can monitor, record and/or examine information system activity?
- Do you generate audit reports and distribute them to the appropriate people for review?
- Do you have policies and procedures establishing retention requirements for audit purposes?
- Do you implement encryption as the safeguard to assure that ePHI is not compromised when being transmitted from one point to another?
Immediate Actions:
Network and security scan – Identify issues such as abandoned computer & user accounts, network vulnerabilities, and issues relating to patch policy.
User Account Security – All users should have unique accounts. Password policy should be set to industry standard complexity with password expiration.
Access Level Security – Users should only have access to resources that are required to perform their job activities. Includes: file level security, network shares and access to applications.
IT Policy – Should be examined and verify that it clearly defines how, what, when and who can accesses information on the network.
Policy and Procedures – Ensure there are policies and procedures in place that govern access to patient information whether it be digital or physical.
Designated Lead – Person/group trained in HIPAA compliance and is responsible for compliance actions
Intermediate Actions:
Self Evaluation – Determine if necessary resources are available to meet compliance standards or if outside resources are needed.
User Training – All users should receive at minimum basic HIPAA training so they are familiar with how it applies to their job function.
Redundancy – Ensure that there are reliable backups and system redundancies in the event of failed systems.
Encryption – Ensure portable devices such as laptops and mobile phones are encrypted. A system should be in place to offer either automatic or manual email encryption.