Three words..”Training” – “Training” – “Training”

It is essential that your staff know how important data management is, how to be secure while working on live data and how to deal with data at the end of it’s life.

• Conducting risk assessments – Among the Security Officer´s main tasks is the compilation of a risk assessment to identify every area in which ePHI is being used, and to determine all of the ways in which breaches of ePHI could occur.
• Introducing a risk management policy  – The risk assessment must be repeated at regular intervals with measures introduced to reduce the risks to an appropriate level. A sanctions policy for employees who fail to comply with HIPAA regulations must also be introduced.
• Training employees to be secure  – Training schedules must be introduced to raise awareness of the policies and procedures governing access to ePHI and how to identify malicious software attacks and malware. All training must be documented.
• Developing a contingency plan  – In the event of an emergency, a contingency plan must be ready to enable the continuation of critical business processes while protecting the integrity of ePHI while an organization operates in emergency mode.
• Testing of contingency plan – The contingency plan must be tested periodically to assess the relative criticality of specific applications. There must also be accessible backups of ePHI and procedures to restore lost data in the event of an emergency.
• Restricting third-party access  – It is the role of the Security Officer to ensure that ePHI is not accessed by unauthorized parent organisations and subcontractors, and that Business Associate Agreements are signed with business partners who will have access to ePHI.
• Reporting security incidents  – The reporting of security incidents is different from the Breach Notification Rule (below) inasmuch as incidents can be contained and data retrieved before the incident develops into a breach. Nonetheless, all employees should be aware of how and when to report an incident in order that action can be taken to prevent a breach whenever possible.

In short a damn good AUDIT TRAIL and set of CLEARLY DEFINED PROCEDURES, to understand your responsibilities contact Secure Data Recycling