• E-mail
• Print
• RSS

Address inadequate HIPAA Security Rule-required policies and procedures

HIM Connection, November 30, 2010

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

CMS detailed seven shortcomings, including old and inadequate policies and procedures, found in its 2009 audits of healthcare organizations to determine compliance with the HIPAA Security Rule. CMS detailed the findings in its 2009 HIPAA Compliance Review Analysis and Summary of Results report.

• Develop and formally document a policy and procedures requiring that management periodically review policies and procedures. This policy should outline the maximum time frame between reviews and require management review when systems or the environment change significantly. One of a CE’s designated HIPAA security officers must be a permanent member of the team that develops policies and procedures. Procedures should allow management to conduct reviews in a timely manner that complies with documented policy. If possible, CEs should standardize this process for all departments or groups responsible for maintaining policies and procedures.
• Develop a standard format for documenting policies and procedures. This format should accommodate multiple types of documents but should maintain information about document revisions, including all revision dates, the individual who revised the document, the date of the most recent approval of the document, and the individual who approved it.
• Conduct periodic evaluations, either internally or through a third party, to assess the effectiveness of policies and procedures and compliance with the Security Rule. CEs can perform this assessment using various methods, including interviews, process walk-throughs, and assessment of the actual results of these processes.

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

• E-mail to a Colleague
• Print
• RSS
• Archive