Do You Handle, Store, or Have Access to Medical Records?
Here Are 7 IT Policies And Procedures You Must Have In Place NOW
HIPAA and HITECH have been around for quite some time. Many medical practices – and their vendors, who are ALSO under these laws – are way behind the times when it comes to implementation. And with cyber-thieves getting smarter and more aggressive, you must work diligently at becoming HIPAA-compliant today. To that end, here are seven things you can do to take major strides toward compliance.
- Access Control Policy. This is a plan for WHO is given access to various systems and data in your organization and HOW they are given access. To limit your liability, give access to sensitive data only to those who need it to perform their job. You also need to have a plan for disabling accounts and changing passwords when employees leave.
- Workstation Use Policy. This policy outlines how employees use their workstations, laptops, and other devices to access sensitive data (patient records). This policy should require that all employees use secure passwords and not download files from the Internet unless from a trusted, work-related source (no iTunes!). You should also monitor logins to your systems to watch for unauthorized access and employ other specific procedures for keeping that device secure.
- Security Awareness Training. Hackers are extremely clever. They use phishing emails and malicious web sites to trick users into thinking they are accessing a trusted source when, in fact, they are opening the door for these hackers to gain access. Since new threats are created DAILY, it’s smart to teach your employees how to recognize threats AND provide ongoing training about new threats as they come online. You must also keep an audit trail of your reminders and communications in case you’re audited.
- Malicious Software Controls. You must have documented policies for the frequency with which anti-malware and antivirus software are updated and what happens if an infection/outbreak occurs.
- Disaster Recovery Plan. You must have a plan in place for how you will restore patient records and files in the event of a disaster – be it an office fire, flood, burglary of your systems (yes, that’s happened!) or any other data-erasing event.
- Media Disposal Policy. Have an old PC? DON’T throw it away or give it to someone! Even if you delete all the files, a savvy hacker can use it to recover logins and data. Instead, have a qualified IT firm wipe the system first – then you can donate it or dispose of it properly. (Tip: Most firms that wipe PCs can also take care of donating it or disposing of it properly.)
- Review And Audit Procedures. As you may know, there’s a LOT more to HIPAA compliance than the items discussed here; however, be certain also that whatever you do has a firm audit trail/log that shows that everything has been executed according to plan.
As the saying goes, “It takes a village.” Staying compliant is not just an IT policy, but a whole approach your organization takes to keeping patient records safe, secure, and private. If you’re subject to HIPAA or want to make sure these simple best practices cover your company, contact our office, and we’ll be happy to review these areas with you, free of charge!