Physical security controls include preventing unauthorized physical access to secure areas. This includes safe locations of data, access to building, 24/7 monitoring, restricting access to authorized personnel only and restricting vendor access.
Network & Information Security
Designed to protect your network and data. Areas to consider as part of your NIS would be access to system, antivirus software, email security, firewalls, mobile device security, data loss prevention, wireless security and web security.
Emergency Response & Disaster recovery
A disaster recovery plan (DRP) is a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster. Such a plan, ordinarily documented in written form, specifies procedures an organization is to follow in the event of a disaster.
Company-Wide HIPAA Education
HIPAA requires that both covered entities and business associates provide HIPAA training to members of their workforce who handle PHI. This means that even small physician’s offices need to train their personnel on HIPAA.
HITECH Act Compliance
Areas of great importance to medical practices include:
Enhanced HIPAA enforcement – The new HITECH act promises increased focus and enforcement of HIPAA. The legislation includes “willful neglect” penalties up to $250,000.
Breach Notifications – Practices must notify patient of any unsecured breach of personal health information (PHI) occurs. If a breach impacts 500 or more patients then HHS must be notified.
Electronic Health Record access – The act requires patients and designated third parties have electronic access to their PHI. This applies to any provider who is utilizing a EHR.
Business Associates – Under the HITECH Act, business associates are now required to comply with the measures provided for the HIPAA Security Rule.
Stringent Non Disclosure and Confidentiality Agreements
Practices should have all employees sign a non disclosure and confidentially agreement to protect confidential patient information as well as confidential information about the business and financial interests of the practice.
Practices should perform periodic audits for unauthorized access to PHI, system access and physical access.
The HIPAA security rule requires covered entities to conduct four types of audits. Three of them are periodical and one is annual. The periodic audits include an information systems activity review, user login monitoring and audit log review (from systems, databases, etc., for storage, use, and disclosure of PHI). The annual audit is called as an evaluation and is more commonly known as a compliance audit.