HIPAA - Brief Overview of Guidelines

HIPAA security rules and compliance guidelines
HIPAA's standards require that all healthcare industries apply and enforce certain protections.

1) Organizations must have an administrative authority in charge of managing and enforcing HIPAA compliance rules, regulations and efforts. There should be a clear set of guidelines in place regulating who is and isn't permitted to access patient information. All access to sensitive data and systems should be monitored.

2) Documentation should be provided to patients informing them of their rights.

3) All corporate systems, machines and buildings must have physical and technical data and intrusion protection controls to prevent malicious hacker and unauthorized access.

4) There must be a traffic-monitoring device, such as a firewall, in place to examine activity coming into and leaving the organization's network.

5) Management should practice risk assessments, data-handling policies, data loss prevention (DLP) and record all security policies and procedures.
Note: These steps are numbered for ease of reading and do not denote actual steps taken from the requirements.

Appoint a central HIPAA management person or persons
These key people will be liaisons between your business and IT management teams. The goals is to delegate the responsibility of managing and enforcing compliance policies and procedures to a specific person or groups. Tasks will be to educate staff, handle data, enforce polices, answer questions and lead corporate efforts.

You will also need to make sure that all employees are aware of what the HIPAA regulations and policies are. How and why the organization needs to become compliant and what the potential penalties and fines are for non-compliance.

HIPAA employee awareness compliance training
All organizations affected by HIPAA should ask employees to undergo some form of HIPAA training to ensure the rules and regulations are clear and everyone is on the same page. You will need proof of this training! It should be clearly identified in the training sessions what constitutes as sensitive patient information, how it should be protected and who is allowed to access that information. This is critical if you ever have an incident where an employee claims that he or she was unaware of the HIPAA policies and procedures.

Restrict and monitor employee access
Administering access controls and data-handling polices are essential parts of all good compliance programs. Access to sensitive data and materials must be restricted to only those who absolutely need it to perform their job function. Additionally, their access should be monitored frequently and updated as required. Note - if you terminate an employee or they change positions - please remember to update access controls to avoid giving the wrong people open access privileges.