Whether you are a large or small organization – a hospital or surgery center, or a one or two doctor practice - there are specific policies and procedures that are expected and required to be in place per the HIPAA Security Rule, which are included in the Administrative Safeguards.

Policies may be standard; however, procedures are based on the organization’s specific criteria and need to be documented.

Some of the policies and procedures include:

  • Background Check Policy and Procedure: Exactly what steps does the organization follow when conducting a background check?
  • Termination Policy and Procedure: Does the organization conduct an Exit Interview? Is there an offboarding checklist for separated employees? Who is involved in the termination process – HR, IT?
  • Facility Security Plan: The organization needs to have a documented plan on the physical securities that are in place. How is the server, computers secured? Who has access to the facility after hours, and how is this monitored? Do you have an alarm or security cameras in place?
  • HIPAA and Information Security Training Policy: Does the policy explain how and when training will occur? How is training documented? Is training upon hire and continued throughout the year?

For more information on Administrative Safeguards and required policies and procedures: HIPAA Security Rule Administrative Safeguards

Security and compliance are first and foremost in the management of our clients' systems. After conducting thousands of SRAs, common vulnerabilities began to emerge. We launched HIPAA Tip Tuesday to make clients aware of what actions they can take to address these vulnerabilities.

Have a great week!