Meeting HIPAA Compliance with a Managed IT Plan, Part 2: Device Documentation

Meeting HIPAA Compliance with a Managed IT Plan Pt 2: Device Documentation

A lot of steps go into ensuring HIPAA compliance. One of those is storing the serial numbers of all managed devices and making sure to record everyone who gets on the network. HIPAA, and all of it’s protocols and safeguards, are there to make sure that personal health information stays private, and does not fall into the wrong hands. A large part of that is making sure you correctly document everything that goes into your HIPAA compliance. While you must deal with some of these documentations internally, a managed IT provider can help with most of it. There is quite a number of needed steps to make sure you properly make an inventory.

Documenting Serial Numbers & Other Info

One of these is storing all of the serial numbers and information on devices that will be coming into contact with personal health information. That information includes the make and model of those devices, and the physical location of them. It might sound like a simple request, but it is more than just simply documenting the few work computers you use. Many companies are now using mobile phones to access patient data. If that is the case with your company, you will need to record these mobile devices as well.

Furthermore, even if you just use a device to hand-off data, you will still need to record that device if it could be an access point. According to one recent study, up to 18% of healthcare professionals now access PHI on mobile phones. This list also includes servers, as they are definitely a potential weak point that you and your IT providers need to monitor.

Documenting Where PHI Is Located

Part of recording devices is also recording where the PHI is located, and where it will be. There will need to be a PHI location map, as well as plans in place on how you would deal with a breach, and potential vulnerabilities. These are less strict, but must meet the requirement of reasonable amount of preventative care. You will need to record software as well as a business associate agreement if you work with a managed IT company. This agreement will itemize exactly what permissions your IT managers have as well as their ability to make sure data is being backed up and encrypted, plans to minimize contact with personal data, and plans to destroy any personal data needed to configure problems.

Documenting Business Practices

You will also need to document much of your business practices, including your training plans, and how you properly teach new employees how to handle PHI. Documents should also include what steps you have taken to limit 3rd parties like software companies access to your data, and the specific ways you have minimized exposure. Also needed is a list of any possible vulnerabilities and how you may deal with them, and upgrades to the system you want to make in the future. Finally, you should address any upgrades that you have been needing to make. This should help you fill out any and all future milestones and goals you want to go over in the future.

Menu