Time to get started on a new Blog series I am geared up about. In an ongoing series of articles I want to give you the tools to start to build your own IT policy of reasonable best practices that will help protect your Practice data.
I frequently get asked to ‘make my Practice HIPAA compliant’. This is a tall order, and the enormity of it usually puts people off from starting at all.
With this series of articles I will be giving you bite sized elements to start taking practical steps towards HIPAA compliance. If nothing else, your data will be safer if you do these things.
Each section I will offer up generally follows this pattern:
- Evaluate what the risk to the Practice is
- Decide what the Practice will do about it
- Write down what was decided
- Then you need to actually get this done!
- Periodically perform some review to make sure this was done
- Document the results of this review
Maple Leaf Orthodontics IT Policy
I will be using the sample Practice we made up called Maple Leaf Orthodontics for the discussions.
Each section I post will include text for an overall IT Policy document. This is the master document.
You can download it here Maple Leaf Orthodontics IT Policy – Section 1.
You should take this document and customize it for yourself. It’s an intelligent Microsoft Word document, complete with proper section headers and an automatic index. I suggest you edit the header and footer with Graphics of your own, just replace the Maple Leaf Ortho ones.
As you add or delete to sections of the IT policy, you can update the Table of Contents by clicking on it, then click on the “Update Table” option in the top left corner, and select “Update Entire Table” and click OK. It will automatically add the new section titles and correct page numbers.
IT Compliance Officer
The first section we need in our IT Policy is an easy one, your IT Compliance Officer. Sounds fancy, but it is merely the person within the Practice who will be responsible for ensuring that the steps defined within the policy are getting done.
This person doesn’t need to be a nerd and know how to do all the steps. But, they need to know what has to get accomplished, and be empowered to enlist the help to get things done. For example, they should know that something needs checked by their IT person once per year, and be able to hire them to do it.
This person shouldn’t be treating the role like it’s just another burden (and something to put in a drawer and ignore). It’s important. If you say you are going to do something then don’t do it, you are exposing yourself to some liability down the road because you’ve acknowledged the step was important and failed to accomplish it.
This person should be organized. They need to keep the IT policy document up to date (adding sections from time to time) and keeping it and the audit documents in a safe place. They should set a reminder in the schedule when certain steps need to be reviewed.
So, figure out who that person is (which is probably you since you are reading this blog), and fill in their name in IT Policy document, and you are off to the races!
Check out the section on Business Associate Agreements
Please subscribe to the blog to get a notice of when the next article is posted. Sign up to get updates by email as soon as we add them.
If you would like a little help with implementing this with your Practice, this is what MME does and we’d be happy to help. We can customize the complete document for the steps applicable to your Practice, and take care of the IT steps to implement them (we are nerds after all). Just give us a call at 866-419-1102 or check us out online at www.mmeconsulting.com.