CSIA 413 Week 2 Discussion Compliance with Laws and Regulations

Week 2: Discussion: Compliance with Laws and Regulations

Compliance with laws and regulations

The HIPAA Security Rule is a set of guidelines issued by the Department of Health and Human Services (HHS) on November 25, 2003, for the protection of individually identifiable health information (Choi,2019). On January 1, 2004 it went into effect.

The regulatory requirements as they apply to the company are the following:

HIPAA Privacy Practices and related Security Standards must be followed, including:

- Rules for the Collection, Use, Storage, Retention and Security of personal health information [PHI]. Under the rule all covered entities shall implement security measures to protect (PHI), including computer safeguards, to prevent against unauthorized use or disclosure and against any other Personally Identifiable Information that could be used to identify an individual(Shay,2017).

The company’s IT Governance Board identified a set of policies that will meet these mandates as follows:

* Secure connection from our servers to everyone else. We are building a Virtual Private Network (VPN) with a minimum 128-bit encryption key, which will be encrypted at least two times before it reaches its destination.

* In addition we will implement a hardware firewall for protection against unauthorized intrusion into the company’s servers.

* All our servers will utilize Secure Sockets Layer (SSL) or Transport Layer Security (TLS) technology so that all information is encrypted during online transactions. This is the same technology used in online stores to protect credit card numbers when you shop online.

* Utilizing advanced mathematical techniques, including multifactor authentication and token-based authentication, all users accessing the system will be required to log in with a unique user name and password to access the system.

* All computer systems connected to the company’s server will have their own unique user names, passwords, and access permissions assigned. This is referred to as a ‘multi-tiered’ approach.

* We will implement access control lists (ACLs) for all system resources and files to control the type of access (read, write, execute) that each individual has to information on the network.

* All network devices will be configured with IP addresses in accordance with published IP address guidelines."

* If we receive any inquiries that relate to documents that are not part of our original system of record we will direct those individuals to the appropriate party.

* All staff members will be trained on the company’s privacy policy and have been provided a copy of the company’s Housekeeping Policy. The company will also conduct periodic training for various divisions to ensure that all employees are aware of the HIPAA Security Rule, its requirements and its effects.

* We will utilize an Information Technology (IT) Incident Response Team to assist in crisis situations. The team shall consist of: Be the initial contact for any external source (law enforcement, customer, etc.) who needs to make an entry into our system. It shall be responsible for communicating with other team members during an incident. It shall be responsible for coordinating with external experts who may be needed to deal with a significant situation.

The company needs to adopt guidance policies because it is necessary for us to understand what the company’s requirements are in order to be successful in the business environment. To make sure everyone is aware of these requirements and properly educated about them, policies must be created and adopted for all employees. Also, the company must be prepared for any type of questions from customers and external parties so that they are aware of all policy requirements. Finally, if the company’s system is ever being hacked, it must have a way of dealing with this situation in an effective manner (Hoffman,2017). The creation of an incident response team will help deal with these types of situations effectively and minimize any damage to our company’s reputation.

References

Hoffman, S., & Podgurski, A. (2017). Securing the HIPAA security rule. Journal of Internet Law, Spring, 06-26.

Shay, D. F. (2017). The HIPAA Security Rule: Are You in Compliance?. Family practice management, 24(2), 5-9.

Choi, Y. B., Capitan, K. E., Krause, J. S., Streeper, M. M. (2019). Challenges associated with privacy in health care industry: implementation of HIPAA and the security rules. Journal of medical systems, 30, 57-64.