January 2021 - Compliance
If your business is involved in the collection, processing, access, storage, or transport of any patient healthcare records or PHI, you are obligated to implement and maintain the security controls defined in the HIPAA Security Rule. Is your business prepared for a HIPAA audit in the chaos of a global pandemic?
If you are utilizing any remote workers, it is crucial that you enforce and maintain the controls defined by the HIPAA Security Rule. The ‘default’ login and password that is built into most routers is a known security risk. You must work with your remote employees to ensure that the default router credentials and the wireless passwords are changed to meet the required security standards.
Quite often, working from home also means that your employees’ family members are close by. However trustworthy these family members may be, allowing unauthorized access to devices or systems that contain or have access to PHI or PII is a compliance violation. Make sure you communicate and train all users on the security protocols and restrictions to maintain compliance.
Even when a home environment is seemingly safe or at minimal risk of outsiders, it is imperative that employees lock screens or log out of devices/applications when not in use. No unauthorized individuals, apart from your designated and appropriate employees, should be able to see or gain access to sensitive personal information or healthcare records.
Has your business participated in a risk analysis? If you’re looking to pass regulatory compliance certifications, completing a thorough risk analysis is one of the areas in which many businesses fail.
With our help, your business will be able to complete and demonstrate proper risk analysis for compliance regulations – and pass the certifications the first time around.
Has your business transitioned to a work-from-home model? Do you know if you’re still following and adhering to all HIPAA security guidelines? Compliance with HIPAA requirements has not been adjusted to accommodate or give exceptions for changes due to the pandemic. It is crucial you assess and verify that you maintain compliance no matter where your employees work from.
Whether it’s on a laptop, tablet, or desktop computer and you are working from a coffee shop, the home office, or your backyard patio – If you have obligations under any data protection regulation, such as HIPAA or GDPR, your employees and your business must adhere to all mandatory security protocols.
Working from home brings an entirely new array of data protection risks for your remote employees and the devices they work from. Maintaining compliance with data protection regulations can position your business to potentially prevent disaster or help mitigate the consequences and costs of a data breach incident from a remote employee.
When the objective is eliminating access to or exposure of any data components that could be used to identify a specific individual, this does not automatically mean that you need to completely erase the data to achieve this goal. This is where safeguards such as Pseudonymization can help keep information incognito and fulfill your GDPR principal requirements.
Remote devices have a higher probability that documents and protected data may pile up or get stale. Implement a process that alerts employees to perform a thorough check of their remote devices to make sure they are not storing any unnecessary or outdated information, especially if the nature of that data might qualify or result in a compliance violation.
The only way to understand your full obligations under regulations such as GDPR, HIPAA, NIST, or CMMC is to audit and identify what your data and information assets are, why they are needed, and how they are collected, processed, and retained. These are just a few of the questions you should be continuously measuring your data assets by to ensure compliance.
Most organizations have not reviewed or updated their compliance policies and procedures in years, let alone for the shift to remote working. If you haven’t already made the appropriate updates to your policies, which directly cover and include adjustments for adopting remote employees and decentralized work environments, you need to act now!