6 Critical Factors for Effective Information Security & Privacy Policies
By Rebecca Herold, Posted 12/28/09
I've been feeling bad about not posting to my blog as often as I have historically...
I want to post more but besides dealing with a lot of personal crises, I've also been working on several projects, including creating the content for a really great service/product, Compliance Helper.
Something I've seen over the years that HIPAA covered entities (CEs), actually all types of organizations, struggle with a lot is creating good, feasible information security and privacy policies. I foresee business associates (BAs), who are also obligated do these activities as one of the impacts of the HITECH Act, will be struggling with it even more.
So many BAs are small- to medium-sized businesses that have little to no documented policies, let alone procedures. And those that do have what they consider to be policies would never come even close to passing an audit, and all I've seen are not covering the full scope of information security and privacy topics that need to be covered.
Compliance Helpertool and personalized service will provide the basic policies templates (ready for easy customizing with the assistance of an assigned human helper), along with supporting procedures, forms and resource, to help CEs and BAs (and actually all organizations) with addressing this requirement.
In the meantime, until Compliance Helper is released (just a few short weeks now!) I want to provide a some important pointers about information security and privacy policies, an excerpt from the book I co-wrote with Kevin Beaver, " The Practical Guide to HIPAA Privacy and Security Compliance" which we are also in the process of updating for a 2nd edition:
Critical Elements of Information Security and Privacy Policies
Too commonly, information security and privacy policies either do not exist or are not enforced in today's healthcare environments. The first major hurdle that must be addressed to ensure information security and privacy policies are implemented and managed properly is that of upper management support. Even though HIPAA compliance is federal law, healthcare organizations still need buy-in from their upper management if policies are to be successfully developed and embraced. If you have reached the point of communicating the value and requirements of HIPAA to upper management and are already working toward compliance, this should not be a major issue for you as it is in other nonregulated environments.
Beyond upper management buy-in, there are six other critical factors that will determine whether or not security policies are effective. In no particular order, these factors are as follows:
People must be aware of information security and privacy policies.
Perhaps the greatest mistake in information security and privacy policies management is that organizations create them and then put them on a shelf without making anyone aware of them. The organization would be just as well off without information security and privacy policies in this case. Refer to Chapter 24 for details on the best ways to get the word on your security policies out to everyone involved.
Create a committee to develop information security and privacy policies.
You do not want to develop information security and privacy policies all by yourself. This could be misconstrued as one-sided or biased, and this is certainly not the position any one individual wants to be in. Additionally, you must consider the expertise of your business leaders to ensure the policies you create are feasible. Get other people involved. It is preferable to get HR, Legal, facilities management, IT and applicable business unit representatives to help with this.
Information security and privacy policies must be specific to your organization.
You cannot simply buy an information security and privacy policies book or download sample policies off the Internet and apply them verbatim to your immediate needs. Do not get us wrong; these policies are a *great* place to start -- they can definitely save you a lot of time, money, and effort. Plus they help you to ensure you are covering all the topics you need to cover. Just remember to tailor these policies to your organization's specific needs and requirements. In fact, try to relate your information security policies to your privacy policies whenever possible. Tailoring these policies should not take a lot of work, and it is absolutely necessary to make sure your information systems and protected health information (PHI) are properly protected in your particular environment.
Information security and privacy policies must be readable and understandable.
Make sure you know your intended audience before you start writing your policies. Regardless of who will be reading them, use the legal and technical jargon sparingly. All of your employees, independent of their knowledge and intellect, need to be able to read any and all of your organization's information security and privacy policies and completely understand them. This is not just an education or awareness issue. It also depends on how well written the policies are in the first place.
Information security and privacy policies must be fair, reasonable, and legal.
Put yourself in your end users' position. Do the policies seem fair and reasonable in order to get the job done? If security policies are not fair and reasonable, people will break them, and that is the last thing anyone needs to have happen with their HIPAA policies. It really is possible to balance security, HIPAA compliance, and convenience. Make sure your organization is doing that. Also, do not forget to run your security policies by your legal counsel before you publish them to make sure they are legal from an HR and employees' rights perspective.
Information security and privacy policies must be enforced.
It is not enough for information security and privacy policies to be fair, reasonable, in compliance with applicable laws and regulations, and legal. They must also be enforced within the organization for all users, including upper management. Sure, HIPAA mandates information security and privacy policies, but similar to the awareness issue discussed previously, if policies are not enforced by the policies committee (if you have one), HIPAA Officer(s), or upper management, then it is probably not worth the time, money, and effort to develop them in the first place. Not only this, but HIPAA, and many other laws and regulations, also mandates sanction policies and requires documentation that you are actually enforcing the policies.