The nine standards in this area outline the process infrastructure needs for effective security of electronic Protected Health Information. These standards address:
- security management,
- assigned security responsibility,
- workforce security,
- information access,
- security awareness and training,
- security incidents,
- contingency plans (for emergencies and disasters),
- evaluation of security effectiveness, and
business associate contracts (or other arrangements) with the hospital’s business partners.
The approach for assessing administrative safeguards will involve reviewing policies, procedures and processes, and interviewing responsible personnel, with respect to information security responsibility.
The four standards in this area address the physical infrastructure that needs to be in place through:
- facility access controls,
- workstation use,
- workstation security,
- and device and media controls.
The physical safeguards assessment occurs by reviews of policies, procedures, and processes; interviews with those personnel responsible for them; and an investigation of the physical facilities. We evaluate whether accessibility to facilities and systems exposes the facility (and the information for which it’s responsible) to unintended information disclosure.
This area outlines the technical infrastructure that needs to be in place for the security of electronic PHI. The four standards in this category address:
- access control,
- audit controls,
- integrity (of electronic PHI),
- person or entity authentication, and
- transmission security.
Although the standards are somewhat neutral, the Auditwerx HIPAA IT security assessment team considers the various technology components of a computing system and assesses them relative to the applicable standards.
This process consists of reviewing application level software controls, the operating system controls beneath it, the internal network controls to which it is connected, and the controls on external networks that it transmits across.
Security standards address the security aspects of third party business associate contracts.
Our IT audit team focuses on interviewing appropriate business and legal counsel personnel that are involved in developing and drafting business associate contracts and reviewing their content for the security elements that need to be included.
Upon completion of our review, we prepare a report describing identified weaknesses and provide suggestions for technology options to address each weakness. We also provide guidelines for the implementation of a corrective action plan. The Auditwerx IT audit team empowers healthcare and healthcare service organizations by delivering clear and concise security information that looks beyond compliance toward the bigger picture of building strong internal control processes that drive success for your healthcare business.