HIPAA COMPLIANCE AND SAFEGUARDS
Attempting to become, and remain, HIPAA compliant can be daunting and more than a bit confusing. HIPAA requires all relevant businesses to implement the appropriate safeguards to ensure that their customer’s electronic protected health information (ePHI) is kept confidential and secure.
The HIPAA Security Rule is made up of 3 parts:
1. Administrative Safeguards
2. Physical Safeguards
3. Technical Safeguards
Each set of safeguards is complicated in its own right. However, broken down into sensible pieces, it’s apparent that they are not as daunting as they initially appear.
In this article, we’ll take a look at the administrative safeguards associated with HIPAA. These are safeguards that can, for the most part, be easily implemented at your office today.
The administrative safeguards associated with HIPAA are a collection of policies and procedures that concern the conduct of your workforce, along with the security measures you will need to put in place to protect your customer’s ePHI.
Looking at the administrative safeguards though the broadest scope possible, the components include assigning a privacy officer, completing an annual risk assessment, ensuring employee training, and executing the required agreements with all partners who might also be handling ePHI.
When we look at them closer, administrative safeguards consist of these specific elements:
1. Security Management Process
2. Assigned Security Responsibility
3. Workforce Security
4. Information Access Management
5. Security Awareness and Training
6. Security Incident Procedures
7. Contingency Plan
In order to properly implement these administrative safeguards, there are a number of steps that should be undertaken.
Security Management Process – Includes both risk analysis and risk management. Risk analysis is used to see where your ePHI is being used and stored, and trying to forecast all the ways that HIPAA could potentially be violated. Risk management means implementing measures that will reduce the potential of HIPAA violations. Security management should also include regular reviews of IT system activity and logs of ePHI access.
Assign Security Responsibility – Within each office, at least one HIPAA “security and privacy officer” should be assigned and properly trained.
Workforce Security – Implement procedures to authorize and supervise employees who work with ePHI, and ensure that an employee’s access to ePHI ends when their employment does.
Information Access Management – Make sure that ePHI is not accessible by unauthorized outside entities (subcontractors). Implement a standardized policy for authorizing outside entities that will have access to ePHI.
Security Awareness and Training – Ensure that there are procedures for employees to follow when they creating and changing their system passwords. Institute a way to monitor and report employee login activity, and periodically send reminders about security and privacy policies to employees.
Security Incident Procedures – Develop a standardized way to document and respond to security incidents.
Contingency Plan – Develop solid business continuity plans that include the ability to continue necessary business functions in case of emergency, and accessible backups of ePHI data and the ability to restore it if lost. Periodically test these plans and revise them as necessary.
Evaluations – Because your business procedures, technology requirements and workforce are continually changing, evaluate and update all of your HIPAA compliance procedures on a regular basis.