Information Access Management § 164.308(a)(4)(i) Restricting access to ePHI to only those who need access is the basic tenant in Security. Compliance with this standard enhances safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.
Isolating Clearinghouse Functions 45 CFR § 164.308(a)(4)(ii)(A) This area covers clearinghouse functions if your organization processes data as a clearinghouse. Once you determine whether or not your organization processes data, you must be sure to have policies and procedures in place to safeguard the data from the larger organization.
Access Authorization 45 CFR § 164.308(a)(4)(ii)(B) A covered entity’s policies and procedures must identify who has authority to grant access privileges to ePHI. It must also state the process for granting access.
Access Establishment and Modification 45 CFR § 164.308(a)(4)(ii)(C) Once you have established your Access Authorization, you must have procedures in place to modify a user’s access should their job function or business requirement change.
Security Awareness and Training 45 CFR § 164.308(a)(5)(i) Covered entities and business associates are required to have Security Awareness training for all employees including the medical staff and physicians. This should be performed annually, and as new employees are hired. Security Awareness is your first line of defense in protecting patient data. Your employees can be your biggest liability or your largest asset.
Security Reminders 45 CFR § 164.308(a)(5)(ii)(A) Yearly security training is simply not enough to keep your workforce up to date on security threats, by implementing a security reminder program you will ensure your employees are up to date. Continued education is a MUST!
Protection from Malicious Code 45 CFR § 164.308(a)(5)(ii)(B) This program should include security measures needed to protect your network from viruses and malicious codes. Not only technical safeguards like anti-virus and anti-malware but again educating the staff on the dangers of emails and websites.
Log-in Monitoring 45 CFR § 164.308(a)(5)(ii)(C) Either the HIPAA security officer, an IT vendor, or the actual user of system should be monitoring their log-ins. Carefully watching for failed attempts that they in fact did not attempt.
Password Management 45 CFR § 164.308(a)(5)(ii)(D) All systems that contain ePHI should require the use of strong passwords. This means at least 8 characters, upper and lower case, numerical and special characters as well. Don’t forget to change them regularly and do not use the same password across multiple platforms. If at all possible add a second authentication process whenever it is available.
Let Aris work with you for an easy online path to HIPAA compliance