The answer to the question depends on how well you can demonstrate your firm’s competency in keeping patient data secure and your readiness in dealing with potential data breach scenarios. How do demonstrative this to the auditor or even to your own management?
Data security is not just about technology but also involves developing and implementing appropriate data security policies and procedures. These policies and procedures are developed with an appreciation of the data risk profile for the organization which is obtained by conducting a thorough business- technology risk analysis. The goal is to minimize the risk to the patient data.
Policies and procedures must be:
- Comprehensive and cover all the administrative, physical, and technical safeguards in place to protect ePHI (electronic protected health information)
- Relevant and up-to-date
- Well documented
- Reviewed periodically
Some policy examples include:
- Risk analysis policy – Mandates annual risk analysis and defines its scope and methodology.
- Access and Audit control policy – Clearly defines the process for granting/revoking ePHI access.
- Contingency planning policy – Data backup and disaster recovery plans, procedures to protect ePHI while operating during an emergency.
- Mobile device management policy – Computer policies regarding use of laptops, tablets , smartphones, USB memory devices to ensure ePHI security.
- Data retention/disposal policy – How long the ePHI is to be retained and steps for proper data disposal.
- Employee termination policy – States the steps that need to be taken when an employee resigns, is fired or laid off, such as changing passwords and revoking that individual’s access to facilities and computer systems.
- Sanction policy – Spells out the consequences for employees when they do not comply with the organization's data security policies and procedures.
Implementing appropriate policies and procedures to protect ePHI demonstrates your organization’s commitment data security. Enforcing the policies sends a powerful message to all employees that your organization is really serious about protecting patient data and non-compliance will have serious consequences.