Since there is no specific standard or independent audit framework, HIPAA compliance is a self-certification that your organization believes it has met the relevant requirements. The best way to achieve this is by instituting a data security strategy that strives for security of your overall system, rather than focusing on HIPAA regulations alone, which dictate security for just PHI.
To address both security and compliance, a solution should include the following:
-A Comprehensive Risk Management Program:Risk assessment and management are at the heart of the HIPAA security rule and an annual requirement. Without properly identifying the risks associated with how your organization handles PHI, you will not be able to justify the security controls program you implement to protect it. Having a documented risk assessment and using that to develop your security controls program is the fundamental building block of a HIPAA compliance program.
-Security Policy: First and foremost, your organization should have a clear policy that is documented and distributed to staff to detail what is and is not acceptable, what is required and who is responsible for what.
-Access Control: Who should have access to what information and in which situations? Your first line of security is at the access point. Make sure your policy dictates which employees can access certain types of information and that you appropriately establish access privileges.
-Comprehensive Security Controls: In addition to access controls, your solution must include additional data protection which may include, but shouldn’t be limited to, encryption of data, the authentication of data received and the constant monitoring of your system for vulnerabilities and breaches.
-Breach Response Plan: Despite all best intentions and planning, breaches do happen. When they do, it’s essential that your organization can do the following:
- Rapidly detect the breach
- Quickly stop threat actors
- Patch vulnerabilities
- Restore lost data
- Notify appropriate parties in a timely manner
