HIPAA Data Security Best Practice #2 – How’s My HIPAA Data Security?
Once you know where PHI is stored, you need to examine how secure it is. Start with your HIPAA policies and procedures and evaluate if they are adequate to your needs. Then determine if those policies are being followed correctly.
Part of achieving and maintaining HIPAA compliance is conducting an annual HIPAA Security Risk Assessment as required by law. If done thoroughly, this yearly activity will help you identify any technical or non-technical gaps in your compliance with the HIPAA Security and Privacy Rules.
HIPAA Data Security Best Practice #3 – Am I Mitigating My Risk
Any gaps identified in the security risk assessment must be addressed through remediation. Now is when you fix all non-technical holes like updates to your HIPAA policy and procedures, administrative safeguards, and workstation security. Then you need to close the technical gaps like user authentication, encryption, and access and audit controls for access to PHI.
Notice that we started with the non-technical side of things. So many people think that security and compliance are all on the technical side. The truth is that HIPAA compliance is following the requirements of the law and being able to prove it. The non-technical aspects of your compliance plan, like policies, are just as crucial to HIPAA investigators as how your files are encrypted.
HIPAA Data Security Best Practice #4 – Do I Have an Incident Response Plan (and is it current)?
Believe it or not, HIPAA regulators don’t expect you to be perfect. What they do expect is that you will be realistic. Breaches are going to happen.
Whether the cause is an accident, negligence, or criminal activity, HIPAA investigators will want to know if you had an Incident Response Plan (IRP) and if you followed it.
A comprehensive IRP clearly defines who is responsible for incident response and what actions they should take, including notifying affected individuals and government agencies as required under the HIPAA Breach Notification Rule.
We’ve listed four HIPAA data security best practices, but the ultimate goal should be achieving HIPAA compliance in a way that works for your organization. Our experts at Compliancy Group are willing to help you meet all the required standards and get the peace of mind from knowing you are fully compliant.