Do You Handle, Store or Have Access to Medical Records?
As the saying goes, "it takes a village." Staying compliant is not just an IT policy, but a whole approach your organization takes to keeping patient records safe, secure and private. If you're subject to HIPAA, or just want to make sure your company is covered by these simple best practices, contact our office and we'll be happy to review these areas with you, free of charge!
Our HIPAA Compliance Assessment Report is not just another checklist. You will be given a tangible, printed report. Your report package includes:
- Risk Assessment to Identify Vulnerabilities & Threats
- Estimate Likelihood and Impact
- Prioritize and Document Risks
- Risk Management
- Risk Avoidance & Risk Mitigation
- HIPAA Policy and Procedures
- Evidence of HIPAA Policy Compliance
- Security Exeception Worksheet
- Supporting Documents
- Response Form HIPAA On-Site Survey
- User Identification Worksheet
- Computer Identification Worksheet
- Network Share Identification Worksheet
- User Behavior Analysis
- Login History by Computer
- Share Permission Report
- Share Permission Report by User
- Drive Encryption Report
Will you be prepared when a compliance officer or your business insurance company comes knocking at your door?
IT Policies and Procedures You Should Have In Place
HIPAA and HITEC have been around for quite some time, yet many medical practices – and their vendors, who are ALSO under these laws – are way behind the times when it comes to implementation. And with cyber-thieves getting smarter and more aggressive, it's imperative that you work directly at becoming HIPAA compliant today. To that end, here are 7 things you can do to take major strides toward compliance.
- Access Control Policy. This is a plan for WHO is given access to various systems and data in your organization and HOW they are given access. To limit your liability, give access to sensitive data only to those who need it to perform their job. You also need to have a plan for disabling accounts and changing passwords when employees leave.
- Workstation Use Policy. This policy outlines how employees use their workstations, laptops and other devices to access sensitive data (patient records). This policy should require that all employees use secure passwords and not download files from the Internet unless from a trusted, work-related source (no iTunes!). You should also monitor logins to your systems to watch for unauthorized access and employ other specific procedures for keeping that device secure.
- Security Awareness Training. Hackers are extremely clever and use phishing e-mails and false web sites to trick users into thinking they are accessing a trusted source when, in fact, they are opening the door for these hackers to gain access. Since new threats are created on a DAILY basis, it’s smart to teach your employees how to recognize threats AND provide ongoing training about new threats as they come online. You must also keep an audit trail of your reminders and communications in case you’re audited.
- Malicious Software Controls. You must have documented policies for the frequency with which anti-malware and antivirus software are updated and what happens if an infection / outbreak occurs.
- Disaster Recovery Plan. You must have a plan in place for how you will restore patient records and files in the event of a disaster – be it an office fire, flood, burglary of your systems (yes, that’s happened!) or any other data-erasing event.
- Media Disposal Policy. Have an old PC? DON’T just throw it away or give it to someone! Even if you delete all the files, a savvy hacker can use it to recover logins and data. Instead, have a qualified IT firm wipe the system first – then you can donate it or dispose of it properly (Tip: Most firms that wipe PCs can also take care of donating it or disposing of it properly).
- Review and Audit Procedures. As you may know, there’s a LOT more to HIPAA compliance than the items discussed here; however, be certain also that whatever you do has a firm audit trail / log that shows that everything has been executed according to plan.
Contact us to schedule your free HIPAA Assessment Review.