As technology evolves, so should your HIPAA plan. When you first created your practice’s HIPAA policy, chances are that your employees didn’t have smart phones or wireless internet service, but now those features are ubiquitous. To ensure that your HIPAA policies are up-to-date, peruse the following checklist and ensure that you’ve got these bases covered:
- Have you designated someone as your office’s security officer and defined the duties?
If you answered “no” to any of these questions, it’s a good time to revisit your HIPAA policies and train your staff accordingly.
- Have you performed a risk analysis of your organization where you identified all of your information assets, their vulnerabilities, your “threat profile” and assessed the risk impact?
- Have you created a security training program for all of your staff that is both general for everyone but also focused for those specific functions that carry out your daily business responsibilities?
- Are you confident that your business associates, such as billing offices and vendors, are providing the same level of security for your PHI as you?
- Have you identified your most critical applications and the information that is essential to your office (such as EHRs), and have you provided for a business continuity/disaster recovery plan?
- Are your entity’s authentication controls adequate to prevent unauthorized access to your systems?
- Do you regularly audit your systems to determine who had access and when, if there were any attempts to exceed authorized access levels, and/or if there were any access attempts by unauthorized users?
- Have you established strong password procedures?
- Will your media, workstation and virus-checking controls measure up to compliance requirements?
- Do you have a process that ensures network security?
- Do you have a process that provides for the physical security of your facility?
- Are systems periodically tested for effectiveness of their security features?
- Do you have a staff policy about taking home portable electronics that have patient information on them?
- Has your office put texting protocols into place where you have encrypted texting procedures and a secure sign-in process if you text orders or other medical information?
- Do you have a response policy for what to do if a breach occurs—even if it’s after hours?