The HIPAA Privacy Rule requires organizations to secure Protected Health Information (PHI). The HIPAA Security Rule explains how to secure PHI and electronic Protected Health Information (ePHI), including how that data should be handled, transmitted and maintained.
The Security Rule requires healthcare organizations and their Business Associates to have three security safeguards in place: Administrative, Technical and Physical.
Include the following in your HIPAA Compliance:
- 1. Designate a HIPAA Privacy and Security Officer and document the Officer’s role and responsibilities for the organization.
- 2. Have privacy and security policies and procedures in place, update annually, revise when necessary, and ensure all workforce are knowledgeable and well informed about these policies and procedures.
- 3. Conduct an annual Security Risk Analysis for the organization, address all medium and high risk ratings, compliance gaps, review the analysis regularly and especially when the environment/network changes.
- 4. Implement security safeguards such as antivirus, regular patching/updates to devices, upgrading all end-of-life systems, up-to-date firewalls and firmware updates, security monitoring for the network, backups for all critical data both onsite and offsite.
- 5. Business Associate Agreements (BAAs) must be in place for all third parties accessing the organization’s ePHI/PHI, with both parties’ signatures and dates. Review BAAs and update when there are changes to the business relationship.
HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). ANATOMY_IT. can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.