We are HIPAA compliant:
• Guarantee patient privacy rights.
• Adopt written privacy procedures.
• Ensure that employees protect the privacy of health information.
• Train employees in the provider’s privacy procedures.
• Designate a privacy officer who is responsible for ensuring the privacy procedures are followed.
Evaluate current business processes to determine what needs to be done to ensure timely compliance. Specific attention addressed to:
How claims are submitted
How patient records are maintained, released and communicated
How patient consent and authorization forms are maintained
How referrals are given or received
Assigned Security Responsibility:
The rule requires providers to assign security responsibility to a specific individual or organization and document that assignment. This responsibility includes the management and supervision of:
1. The use of security measures to protect data.
2. The conduct of the personnel in relation to the protection of data.
This assignment is important to provide organizational focus, indicate the importance of security and pinpoint responsibility.
We develop formal, documented policies and procedures that govern the receipt and removal of hardware and software (such as diskettes, tapes, and computers). These policies are important to ensure that media containing personal health information is protected and that those persons who are responsible for hardware/software maintenance are aware of their responsibilities under HIPAA. These controls include the following mandatory implementation features:
• Controlled access to media
• Accountability (tracking mechanism)
• Data backup
• Data storage
Physical Access Controls:
We document formal policies and procedures for limiting physical access, while ensuring that properly authorized personnel can work freely. These controls include the following mandatory implementation features:
• Disaster recovery
• Emergency mode operation
• Equipment control (in and out of facility)
• A facility security plan
• Procedures for verifying access authorizations prior to physical access
• Maintenance records
• Need-to-know procedures for personnel access
• Sign-in for visitors and escorts, if appropriate
• Testing and revision
Policy/Guidelines on Workstation Use:
The organization have a policy on workstation use. These documented instructions must delineate the proper functions to be performed (i.e., logging off before leaving a terminal unattended). This is crucial so that employees understand the manner in which workstations must be used to maximize the security of health information.