10 IT Policies and Procedures you must have to ensure HIPAA Compliance

October 8th, 2014

We’ve compiled the top 10 IT policies and procedures to ensure HIPAA & HITECH compliance for your practice.

It’s important to have these policies in place and documented so you and your staff have a clear understanding of the compliance requirements and to reinforce these standards to existing and new employees for their onboarding process. The Top 10 are as follows:

  1. Perform a Risk Analysis: Identify any risks to electronic protected health information (EPHI).
  2. Develop a Privacy Policy: Develop and implement a written privacy policy as well as dedicate personnel or a privacy official to implement these policies.
  3. Access Control Policy: Access should only be granted to software or personnel with documented rights to maintain EPHI.
  4. Workstation Use Policy: Policies must be in place and documented specifying the functions permitted to be performed by staff whether onsite or working remotely.
  5. Adoption of Email Policy: Policies for email and mobile devices should be documented and enforced. Emails that contain EPHI must be encrypted.
  6. Security Training: Your practice should conduct and thoroughly document security update training sessions at predetermined intervals.
  7. Malicious Software Controls: Anti-virus and malware protection are mandated and updates must be documented. Any instances of malicious attacks must be recorded and reported.
  8. Disaster Recovery Plan: In an event of system failure or natural disaster documentation must be in place to specify the resources, actions, and data required to retrieve healthcare information.
  9. Media Disposal Policy: Destruction and removal of computer equipment containing or having the potential to contain EPHI must be documented to show the proper disposal methods were adhered to.
  10. Document & Audit: All the aforementioned policies and procedures must be physically documented and readily available for inspection if requested. A central repository containing all the necessary documentation is recommended

These are our Top Ten policies and procedures but as you are aware there are many facets to HIPAA & HITECH compliance.