HIPAA (the Health Insurance Portability and Accountability Act) mandates the use of computers and patient privacy when dealing with patient data and information. These standards ensure the data will be transmitted on a standard that patient privacy and information is secure and within guidelines established for this act.

 

Security Standards should be put into place that help to prevent and detect security events and allow for the correction of HIPAA Security violations.

 

Companies and hospitals need a Risk Analysis in order to evaluate the vulnerabilities and possible risks while maintaining the integrity and confidentiality of their information. With this in place, companies can then look in to Risk Management to help reduce the risk of exposure of their records. With these two critical items in place, employees should be trained and informed of any repercussions of failure to comply with these rules.

After setting the aforementioned policies in place, a review of the policies and procedures should take place. This includes the auditing of servers, workstations, logs, and any reports.

 

 

The information below and above is a partial list and description of different areas needed to protect data and information involving HIPAA.  This list is intended for general informational purposes only, it is not intended as a HIPAA checklist or even a guideline.  By using this website, you agreee that in no way, shape, or form and without limitation to hold Craztech, Craztech officers and/or Craztech employees or any affilliate responsible for any loss or damages due to the improper use of this site and/or it's content. Links following this information give more information on the standards required to meet HIPAA compliance, specifically, www.hhs.gov/ocr/hipaa.

 

Roles

Organizations should assign a security analyst or security officer to help identify who is responsible for maintaining and enforcing the HIPAA standards within the organization. This assignment ensures the quality of the standards set forth by the organization

 

Workforce

Organizations should ensure that training is implemented and carried out to all employees. Decisions should be made on employee access and rights to individual and key records. This includes information on how, and which, employees have access to records and which supervisors can give, modify or take away access to records.

 

Security Awareness and Training of Workforce

Organizations should provide a training program to raise awareness of HIPAA rights and responsibilities. Every individual in the organization must be trained on a regular basis (Including all management personnel). Training should be provided and include employee awareness, password safeguarding and changing, workstation access, software use, virus and malware information and other mission critical operations.

 

Records and Information Access

Policies should define roles that dictate who can have what access to programs and information and when. These policies should further define the roles in information technology, more specifically, limitations and priviledges of the IT personnel who have the rights to modify the access.

 

Incident Response

Policies and procedures should be implemented to include incident response. This information should be used to identify security incidents and how to respond to such incidents. The security officer for the organization, along with management, should evaluate the effects of any incident. Documentation of any incident should be made, along with the outcome of the incident, suggestions for the possible modification of policies at fault, and addding the documentation to a knowledge base for reference for any incident that may occur in the future.

 

Contingency and Emergency Operations Plan

Policies and Procedures should include the Disaster Backup and Recovery plan to ensure the business can continue operations and minimize data loss in the event of a disaster. This information includes the team that keeps the business going, recovering lost data, testing of backup procedures and replacement of equipment.

 

Hardware, Software and Transmission Security

Organizations should have a hardware firewall in place along with professional versions of operating systems. Transmission of personal information should be encrypted and comply with HIPAA regulations. Operating Systems should be hardened and up to date. Policies should cover the updating of hardware, hardware firmware, software, operating systems and applications. Data integrity control should be in place for data systems, the data itself and data transmission.

 

Audit Control

Procedure audit mechanisms should be in place for all hardware, software and data control. This information should be reviewed by the security supervisor on a regular basis.