Designing Administrative Policies for HIPAA Compliance
Building and managing administrative safeguards are an important part of the HIPAA compliance process.
HIPAA administrative policies are part of an organization’s HIPAA security program.
Any organization using protected health information (PHI)
must implement HIPAA administrative safeguards to maintain HIPAA compliance.
These policies act as an organization’s standard operating
procedures for handling patient data, handling emergencies and service outages, and staff access and training.
The HIPAA Privacy Rule lays out guidelines and requirements for setting administrative policies. The HIPAA Security Officer and Privacy Officer are typically responsible for creating and maintaining policies. Specific requirements may layout standards such as “developing and testing backup and disaster recovery plan” but not provide exact specifications for implementation. Your team must follow prescribed minimum requirements, set standards that the team will follow, and create a process for reviewing and updating policies on an ongoing basis.
Best Practices for Developing Policies
When developing HIPAA administrative policies, organizations should follow some best practices for:
- Follow the Principle of Least Privilege (PoLP) – This is the concept of providing minimal user and account privileges and access to protected health information (PHI). For organizations, this means limiting access to production environments and data, limiting the number of devices with access to PHI, and restricting PHI access to only necessary users.
- Test and Review Policies on a Frequent Basis – For policies with a technical component, such as backup, disaster recovery, and audit logging, your team should test that your individuals are able to properly conduct procedures and follow the policy. Data management is not only a part of HIPAA compliance, but is important to your organization’s daily operations.
- Build with Your Organization and Technologies in Mind – Your team should consider the technologies staff and end-users use frequently and build your security program with these technologies in mind. Your organization should keep security top of mind when considering 3rd party services, such as email, cloud storage, etc.
Essential Administrative Policies
Below are some of the essential HIPAA administrative policies that should be implemented into an organization's security program.
Employee Policies and Compliance TrainingHIPAA requires that your organization provides HIPAA training both to new employees, as well as general refreshers to existing employees on an annual basis. You Employee Policy should address how staff can access protected health information (PHI), production data, mobile device and software usage and the process for reporting security and compliance issues to superiors.
Risk ManagementYour organization is required to determine compliance risks over time. For HIPAA, this means scheduling, conducting, and conducting risk assessments on an annual basis, evaluating findings, and implementing remediation of security concerns.
Roles PolicyUnder HIPAA, your organization is required to establish a Privacy Officer and a Security Officer. In smaller organization’s a single individual can hold both titles.
Generally, the Privacy Officer oversees administrative safeguards such as setting and updating policies, managing vendors and PHI access, and conducting employee training and staff management activities. The Security Officer is tasked with managing the technical safeguards of HIPAA, such as implementing and reviewing backup and disaster recovery solutions, intrusion detection, audit logging services and other safeguards.
System AccessYour team must set restrictions on access to protected health information (PHI) and production systems. HIPAA requires organizations to minimum required access. Your policies must outline HIPAA technical controls including: authentication, password requirements, automatic logoff, and revoking employee access.
Facility AccessHIPAA requires that PHI is physically secured. For healthcare companies and organizations, where PHI is stored on office devices, the doors or entrances must have lock. On-premise systems must be physically secured. For PHI stored with cloud providers, organization’s must have a signed Business Associates Agreement (BAA) for facility access controls under the cloud shared responsibility model.
Disaster RecoveryHIPAA requires that organizations have backup and recovery processes in place in case of emergencies or service outages. A Disaster Recovery Policy should outline implementation, testing, and the process for conducting disaster recovery of applications and services including:
- Define staff members responsible for testing and running the disaster recovery process
- Set trigger events for activating your recovery plan
- Determine cloud services and availability zones that will be used for recovery
HIPAA Breach and Incident ResponseHIPAA requires that your organization has a planned response for potential compliance breaches. This includes staff reporting of compliance issues, notifying users, and investigating potential breaches.
Intrusion DetectionHIPAA requires that your team implements integrity controls for detecting that PHI “has not been altered or destroyed in an unauthorized manner”. An Intrusion detection system (IDS) to monitor and detect any possible breaches to PHI. A proper IDS policy allows teams to detect potential security breach as they happen in real-time.
Vulnerability ScanningOrganizations are required to perform risk analysis of services handling PHI. Conducting vulnerability scanning within your environment, is part of ensuring data integrity. Vulnerability scanning enables teams to detect configuration and network issues with cloud infrastructure, servers, and production services.
Audit LoggingHIPAA requires that organization’s implement audit controls “that record and examine activity in information systems that contain or use electronic protected health information (ePHI)”. Organizations must implement audit logging on systems with PHI. Since logs may contain PHI themselves, they should be secured and encrypted in a similar manner to other protected health information.
Read Our Latest Whitepaper - Managing HIPAA in AWS Download Whitepaper
What Do Healthcare Providers Expect?
Learn about the security process Healthcare organizations have for evaluating new partners and solutions.
Hospitals and healthcare providers are exposed to greater compliance and security risks as
they work with new healthcare vendors, digital health, and startups. The provider’s Security Team or
Compliance Team will often have a process for vetting any new software solutions they are considering.
Healthcare providers often ask prospective new partners to complete a security assessment or questionnaire. Security questionnaires are typically aimed at determining that healthcare vendors:
- Have established administrative policies that are properly followed and reviewed.
- Have solutions implemented for managing technical safeguards.
- Are working with infrastructure and 3rd party services in a compliant manner.
- Limit staff and user access to only those necessary.
- Can provide reliable service without downtime and interruption.
- Follow security best practices and can properly handle emergencies.