HIPAA Security MeasuresImplementing HIPAA security measures to manage risk in your practice has never been more important. With the rise of healthcare breaches, the success of your practice comes down to your HIPAA security measures.

Assessing Your HIPAA Security Measures

There are several questions to address when determining whether or not you have adequate HIPAA security measures in place. HIPAA security measures ensure the confidentiality, integrity, and availability of protected health information (PHI). The following questions will help you manage your risk by determining areas in which your security measures may be lacking.

1. Have you conducted your annual self-audits?
Self-audits assess your organization’s safeguards against HIPAA standards. This is an important aspect of HIPAA security as it identifies vulnerabilities in your safeguards. Identifying vulnerabilities allows you to create remediation plans to bring your safeguards up to HIPAA standards.

2. Do you have documented policies and procedures?
Policies and procedures dictate the proper uses and disclosure of PHI, the security measures you have in place securing PHI, and the proper measures to take should you experience a breach. Your policies and procedures must be documented and reviewed annually to account for any changes in your practice’s operations. Implementing policies and procedures reduces your risk as they provide standards for protecting PHI.

3. Have your employees received their HIPAA training?
All employees must be trained annually on HIPAA standards and your organization’s policies and procedures. Employee training is a key component to managing risk in your practice as employees are aware of how they may use and disclose PHI.

4. Do you have signed business associate agreements with all of your vendors?
Any vendor that creates, receives, transmits, stores, or maintains PHI on your behalf is considered a business associate. To ensure that your business associates have proper HIPAA security measures implemented, you must vet your vendors and have them sign business associate agreements (BAAs). BAAs dictate the security measures your vendors are required to have in place and require them to manage and maintain their HIPAA compliance.

5. Are your devices that touch PHI encrypted?
All devices that have contact with PHI must have reasonably appropriate HIPAA security measures in place to secure sensitive data. In most cases, reasonably appropriate security measures refer to encryption. Encryption is the most secure method for securing your data as it masks data making it readable to only authorized users possessing a decryption key.