Monday, December 25, 2017

How do I Become HIPAA Compliant? (a checklist)

If you are handling the protected health information, then it is of utmost importance that you follow the HIPAA compliance policy. This is mainly to make sure that you protect the sensitive data and information about the patients. It is very important that all the covered entities as well as their business associates follow HIPAA Privacy policy. But it is not as easy as it sounds when it comes to adhering to the HIPAA compliance policy. You will find that there are a number of things that you need to follow. So here is a checklist if you wish to become HIPAA compliant.

In HIPAA there are basically there are four rules that one needs to follow. These are as follows:
● HIPAA Privacy
● HIPAA Security
● HIPAA Enforcement
● HIPAA Breach Notification

As far as taking action for protecting the sensitive data is concerned, you will have to follow the privacy policy and the security policy. Whenever there is a breach of data, then the breach notification policy will have to be followed. Developers will have to focus on the physical and the security aspects of the HIPAA security policy.

HIPAA Security Policy:
Proper administrative, technical and physical aspects need to be covered in order to make sure that the confidentiality of the protected health information is protected. Let us now look into the three main aspects of the HIPAA security policy:

1. Technical Aspects:
● This will mainly include the technology part and it consists of Access Control, Audit Controls, Integrity, Authentication, Transmission Security. The things that one will have to implement are:
● Controlling the access and following unique user identification methods
● Procedures to gain access to the PHI in case of emergencies
● Following procedures for automatic log off and encryption and decryption of data in a proper manner
● Following strict HIPAA Audit policies in order to record the activity in the information systems.
● Implementing strict authentication procedures and transmission control procedures.

Physical Aspects:
This includes the Physical access to the PHI. The four standards in this are Facility Access Controls, Workstation Use, Workstation Security and Device and Media Controls. The things that you need to follow here are:
● Implementation of policies in order prevents the unauthorized physical access to the data.
● Prevention of theft or leaking of confidential data
● Following strict access controls and validating the procedures in proper way
● Maintaining the proper records and making sure that proper measures are taken in order to maintain the security of the workstation
● Proper procedures must be followed in terms of use of workstations
● Proper procedures need to be followed for back up of data, re-use of media and data, storage of data and disposal of data. Administrative Aspects:

This will include the procedures with regards to the conduct of the employees. The nine standards that are included in this are Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Contingency Plan Evaluation Business Associate Contracts and Other Arrangements.

Here you will have to follow risk analysis, risk management, review of the various procedures etc. It will also involve appointing the right staff who has a proper HIPAA Certification and a proper understanding of all the policies. 

As you can see one needs to follow a number of tedious steps in order to become HIPAA compliant.