This post isn't a conclusive listing of what's required for HIPAA compliance and is designed to point you in the best direction.
You should assign a Privacy Officer to examine each rule in its entirety.
HIPAA compliance 2018 rule "requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information"
The majorities of us believe that our medical and different wellness data is individual and should be secured. We also believe we should know who has this information and worry about how safe it is. The Privacy Rule, a Federal law, provides you with rights around your quality of life data and models principles and limits on who can look at and obtain your Health information. As long as we ensure reasonable safeguards, 2018 changes to HIPAA compliance Privacy Rule and Security Rule allow appropriate electronically communication and handling of health care 'Protected Health Information'. All personal medical information, including name, address, Social Security number, and all medical information about an "individual" come under PHI.
As a healthcare organization, you must still make sure that a few checks and steps are taken to ensure that HIPAA compliance 2018 changes are followed within the organization:
Administrative Safeguards:
- Always have a documented physical security policies and procedures. Helps guide existing and new security personnel
- Have designated HIPAA compliance officers whenever and wherever possible
- Injunction instructions should be documented and followed against workforce members who fail to comply with the security policy
- Continuous security upgrading and reminders in the form of seminars, test and webinars conducted internally
- Appling procedures to documents information system activities, such as audit records, access reports and security-incident checking reports
- Ensure regular reviews of the audit trails, logs and system activity of the employees with access to ePHI
- Planning and timed reviewing of procedural contingency policy on accessing backups of ePHI, establishing continuous processing of critical business process for protection of ePHI
- Special business partners compliance contracts with partners who will have access to ePHI. Choose partners that have similar agreements with any of their partners to which they are also extending access
Physical Safeguards:
- Identifying and assigning personnel for developing and implementing security policies and procedures
- Disaster recovery plan and emergency plan, which is away from the normal operation facility. This ensures that the organization has a data backup plan established to create, maintain retrievable and restore exact copies of ePHI
- Employee workstation access and security - ensure proper password control, applications accessed and installed, and the physical attributes and the surroundings of the workstation that can access ePHI
- Following proper procedures for proper disposal of old/used hardware, proper reuse of the same
- All old hardware disposed should have data backed up from those disposed hardware
- Any paper trail of ePHI data is only accessible to selected employee and are always secured properly
- Implementing strong Bring-Your-Own-Device [BYOD] HIPAA Compliance policies in the organization where ePHI data is accessible and technology tools are integral to control the access to data outside the organization
HIPAA Privacy Officer: Module 1
HIPAA Privacy Officer Training will uncover all HIPAA and HITECH expectations in protecting patient and member's right to privacy and the confidentiality of Protected Health Information (PHI) as you engage in treatment, payment, and healthcare operations (TPO) services.
Attend this Session
Technical Safeguards:
- Steps for creating changing and securing password management should be documented and implemented regularly
- Security measures to ensure integrity of the ePHI data that electronically transmitted - making sure they are not improperly modified without detection until discarded
- Securing digital ePHI data by encrypting them, at all/most times, by whenever means deemed appropriate
- Securing access control points by ensuring critical thought process is put into password protection, rules for accessing data, automatic log off from systems
- Audit controls implementing hardware, software and procedural restriction and procedures to record activities on information system that have healthcare data
- Under new HIPAA 2018 Compliance rule ensure proper steps to be taken by the organization when a patient has not agreed to receive ePHI in unencrypted email or unencrypted text message
- Ensure ePHI data that are at rest i.e. data that is kept in databases, servers, flash drives either by password protection or access to physical hardware is restricted and data is all/most time's encryption
- For all online forms that use or request or accept ePHI ensure the use of security measures, such as SSL and advanced password protections like 2FA
- In 2018 HIPAA Compliance Privacy rule make sure that anti-virus softwares are run and systematically updated on machines that have access to ePHI
- Current recommendation of using NIST-recommended AES 256-bit encryption standard for data transmissions through electronic devices
HIPAA Privacy Officer: Module 2
HIPAA Privacy Officer Training will cover all ongoing activities of a Privacy Program related to the development, implementation, maintenance of, and adherence to the organization's policies and procedures covering the privacy of, and access to, patient health information in compliance with federal and state laws and the healthcare organization's information privacy practices.
Attend this Session
Critical steps for the success in passing HIPAA Compliance checklists for 2018
- Reviewing all the above steps and procedures periodically
- Documenting procedures and changes done to anything related to ePHI
- Under HIPAA 2018 Compliance rule ensure your employees are up to date at all times with regards to the procedures
- Ensuring the end user know about your organization handling of ePHI
- Determine the likelihood of threat occurrence with ratings such as high, medium and low or numerical represent probability of threat
ABOVE ALL keep the organization updated at all times with the documentation needed to prove and pass compliance.