HIPAA Healthcare Security Policies

The HIPAA healthcare security policies outlines national security standards intended to ensure integrity, confidentiality and security of patient health records.

Three parts to the HIPAA Healthcare Security Policies:

  1. Administrative Safeguards – The administrative components are really important when implementing a HIPAA compliance program
  2. Technical Safeguards – Technical safeguards outline what your application must do while handling PHI. There are both required and addressable elements to these safeguards.
  3. Physical Safeguards – The Physical Safeguards really have to do with who has access to PHI data and how that access is managed. HIPAA compliant hosting companies (such as TrueVault, AWS, Firehost and Rackspace) handles much of the requirements.

Questions to Consider:

Does your organization have a documented information security program?

The policies and procedures required must be maintained in writing, and that any other communication, action, activity, or designation that must be documented under this regulation be documented in writing. “Writing” includes electronic storage; paper records are not required. Organizations are required to retain any documentation required under the Security Rule for at least six years (the statute of limitations period for the civil penalties) from the date of the creation of the documentation, or the date when the document was last in effect, whichever is later.

Does your organization’s security policies cover the following items?

  • Code of Conduct
  • Account Management
  • Passwords
  • Data Classification
  • Third Party Information Security
  • Mobile Computing
  • Use of Cryptography
  • Disaster Recovery
  • Data Secure Disposal
  • Email Appropriate Use
  • Internet Appropriate Use

Are Security Policies Approved by management?

Are Security policies communicated to all relevant parties including employees, contractors and other third parties?

All employees, contractors and other third parties working with organization must undergo a security policy training session upon hiring or partnership. This security policy training is then renewed annually. Any changes in security policy are updated in the organization’s security documentation and communicated to appropriate parties via email. Managers are also required to communicate verbally any major changes.

Are Security policies reviewed and updated at least annually?

Are Security Policies legally binding on all relevant parties, including employees, contractors, and other third parties?

How your organization determines suitability of any of your vendors with regard to adhering to the communicated Security Policies?