The information below is a partial list and description of different areas needed to protect data and information involving HIPAA. Links following this information gives more information on the standards required to meet HIPAA standards.
Organizations should assign a security analyst or security officer to help identify who is responsible or maintaining and enforcing the HIPAA standards within the organization. This assignment ensures the quality of the standards set forth by the organization
Organizations should ensure that training is implemented and carried out to all employees. Decisions should be made on employee access and rights to individual and key records. This includes information on and how employees have access to records and which supervisors can give, modify or take away access to records.
Security Awareness and Training of Workforce
Organizations should provide a training program to raise awareness of HIPAA rights. Every individual in the organization must be trained on a regular basis (Including all management personnel). Training should be provided to include employee awareness, password safeguarding and changing, workstation access, software use, virus and malware information and other mission critical operations.
Records and Information Access
Policies should define roles on who can have what access to programs and information. These policies should further define the roles in information technology of the IT personnel who have the rights to modify the access.
Policies and procedures should be implemented to include incident response. This information should be used to identify security incidents and how to respond to such incidents. The security officer for the organization along with management should evaluate the effects of any incidents. Documentation of any incidents should be made along with the outcomes for the possible modification of the policies along with the ending result of the incident to prevent any further incidents.
Contingency and Emergency Operations Plan
Policies and Procedures should include the Disaster Backup and Recovery plan to ensure the business can continue operations in the event of a disaster. This information includes the team that keeps the business going, recovering lost data, testing of backup procedures and replacement of equipment.
Hardware, Software and Transmission Security
Organizations should have a hardware firewall in place along with professional versions of operating systems. Transmission of personal information should be encrypt and comply with HIPAA rulings. Operating Systems should be hardened and up to date. Policies should cover the updating of hardware, hardware firmware, software, operating systems and applications. Data integrity control should be in place for data and data transmission.
Procedure audit mechanisms should be in place for all hardware, software and data control. This information should be reviewed by the security supervisor on a regular basis.
Links to Checklists and Educational Materials