Howard Anderson interviewed former HIPAA enforcer Adam Greene, who stated:
“An important component of preparing for a potential HIPAA compliance audit is to complete a “walk through” to make sure privacy and security policies and procedures are practical and effective.”
We have long recommended this informal process and in fact have supplied a short HIPAA Compliance Check List:
HIPAA Compliant Checklist
- Have you formally designated a person or position as your organization’s privacy and security officer?
- Do you have documented privacy and information security policies and procedures?
- Have they been reviewed and updated, where appropriate, in the last six months?
- Have the privacy and information security policies and procedures been communicated to all personnel, and made available for them to review at any time?
- Do you provide regular training and ongoing awareness communications for information security and privacy for all your workers?
- Have you done a formal information security risk assessment in the last 12 months?
- Do you regularly make backups of business information, and have documented disaster recovery and business continuity plans?
- Do you require all types of sensitive information, including personal information and health information, to be encrypted when it is sent through public networks and when it is stored on mobile computers and mobile storage devices?
- Do you require information, in all forms, to be disposed of using secure methods?
- Do you have a documented breach response and notification plan, and a team to support the plan?
It is critical that you make sure that your written policies and procedures are the actual business rules by which you run you company. The auditor will compare staff actions with the written policies and procedures to see if they match.
Cross-posted from Compliance Helper