Since the HIPAA Privacy Rule went into enforcement in April 2003 a major goal of the Rule was to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care, and to protect the public's health and well-being. We are all aware of the policies and procedures that needed to be put in place, including Patient Privacy notices, consent forms, and appropriate disclosures.

Under the HIPAA Security Rule, there are also specific policies and procedures that are expected to be documented and in place.

Some of the policies and procedures that are overlooked and need to be specific to Covered Entities (and their Business Associates) include:

  • Sanction Policy: appropriate sanctions must be in place so that workforce members understand the consequences of failing to comply with security policies and procedures.
  • Information System Activity Review: by regularly reviewing audit logs, access reports and security incident tracking reports, this enables Covered Entities to determine if any ePHI is used or disclosed in an inappropriate manner.
  • Security Incident Policy: procedures must address how to identify security incidents, provide that the incident is reported to the appropriate person(s), and the incident is documented and response to the incident is addressed.
  • Disaster Recovery Plan: the policy needs to establish and implement procedures to restore any loss of data as well as the physical recovery of the organization.

Security and compliance are first and foremost in the management of our clients' systems. After conducting thousands of SRAs, common vulnerabilities began to emerge. We launched HIPAA Tip Tuesday to make clients aware of what actions they can take to address these vulnerabilities.

Have a great week!