We’ve compiled the top 10 IT policies and procedures to ensure HIPAA & HITECH compliance for your practice.
It’s important to have these policies in place and documented so you and your staff have a clear understanding of the compliance requirements and to reinforce these standards to existing and new employees for their onboarding process. The Top 10 are as follows:
- Perform a Risk Analysis: Identify any risks to electronic protected health information (EPHI).
- Access Control Policy: Access should only be granted to software or personnel with documented rights to maintain EPHI.
- Workstation Use Policy: Policies must be in place and documented specifying the functions permitted to be performed by staff whether onsite or working remotely.
- Adoption of Email Policy: Policies for email and mobile devices should be documented and enforced. Emails that contain EPHI must be encrypted.
- Security Training: Your practice should conduct and thoroughly document security update training sessions at predetermined intervals.
- Malicious Software Controls: Anti-virus and malware protection are mandated and updates must be documented. Any instances of malicious attacks must be recorded and reported.
- Disaster Recovery Plan: In an event of system failure or natural disaster documentation must be in place to specify the resources, actions, and data required to retrieve healthcare information.
- Media Disposal Policy: Destruction and removal of computer equipment containing or having the potential to contain EPHI must be documented to show the proper disposal methods were adhered to.
- Document & Audit: All the aforementioned policies and procedures must be physically documented and readily available for inspection if requested. A central repository containing all the necessary documentation is recommended
These are our Top Ten policies and procedures but as you are aware there are many facets to HIPAA & HITECH compliance.