HIPAA, like other regulatory requirements that focus on the control of and disclosure of information and retention or records (see ISO 23081) it is best focusing on control of processes that relate to product and services. HIPAA requires, simplified:

  • That medical records (all) be stored in e-media,
  • That the e-formats be standardized,
  • The issued medical identification number needs be used on all records that "touches",
  • That the procedure to exchange records be identified - established - maintained,
  • That records are protected assuring privacy and confidentiality of individuals (patients and related including employees),
  • That the IT Governance practices provide security and a file-auditing verification by competent and independent personnel,
  • Who has access to record needs be identified and authorized, and
  • CYBERSECURITY measures

The above pointers create a challenge for organizations within the medical - health sector, and these includes:

  • Raising awareness of HIPAA,
  • Establish - Implement - Document - Maintain policies and procedures for document and record control,
  • Developing new practices in the light of discontinuance of technology,
  • 1-up and 1-down agreements for privacy with business partners to ensure that files and financial exchanges comply with HIPAA,
  • Developing an internal enforcing protocol which could include an internal audit system, and this needs be the responsibility of the organization's highest possible authority while possibly delegating to a management members

Also consider 21 CFR Part 11 which relates to electronic signature which requires of certifiable binding authority to electronic signature, proper to use as well; that it is unique to one individual, signature manifestation in a human readable form or biometrics, and requirements for multiple signings during continuous and non-continious periods of controlled access.

For effectiveness of the implementation and maintenance of 21 CFR Part 11, as well as related management requirements security is a must and provide for an audit trail (paper and e-media).

If your organization is ISO 9001 certified - registered, assure that is through a competent and reputable registration body whom interfaces directly with an accreditation body, see the list of reputable certification bodies.

 

 

HIPAA, Procedure VerificationHome Portal...