Designate a HIPAA team
- Manage and enforce compliance policies and procedures
- Educate staff. It is important for all employees to be aware of what the HIPAA regulations and policies are, how and why the organization needs to become compliant and what the potential penalties and fines are for non-compliance.
- Handle data
- Enforce polices
- Answer questions
- Lead corporate efforts. Act as a liaison among business and IT management, employees, HR and Legal departments.
HIPAA employee awareness compliance training
- Define sensitive patient information.
- Clarify how sensitive patient information should be protected.
- Clarify who is allowed to access sensitive patient information.
Restrict and monitor employee access
- Administer data-handling polices.
- Administer access controls, both adds and deletes. Avoid expansive privileges. There are several identity and access management (IAM) tools available on the market with reporting and auditing capabilities that can assist with user provisioning and with managing and controlling who has access to what.
- Monitor access.
- Review access. Access to sensitive materials should be restricted to only those who absolutely need it.
- Monitor system changes. Information should be moved to secure locations.
Encryption, data protection and data handling policies
- Implement a data handling policy.
- Implement a data classification policy. Identify different types of data based on privacy and security demands. Information should be classified depending on its location, type, how sensitive it is to risk, and what storage, transmission or other security measures are currently in place to protect it. Your data-classification policy should determine what information needs advanced security measures, such as encryption or written permission for data sharing. If certain data is extremely sensitive, more advanced security measures should be taken to ensure its protection.
- Implement a data sharing policy. If an employee wants or needs to share data with another party, written permission should be required. This reduces the likelihood of unnecessary or malicious information sharing. This includes any email egress; outbound should be filtered for information disclosure.
- Implement data loss prevention (DLP) technologies. Unintentional data sharing can occur when someone “shoulder surfs” or when electronic media (including USB devices and laptops) are lost or left unsecured. Drive encryption is often employed in conjunction with inactivity timeouts.