Policy Implementation, Enforcement, and Compliance
HIC, Inc. needs to maintain regulatory compliance to protect the confidentiality, integrity, and availability of protected health information (PHI) and information assets. It has developed various security policies following all applicable laws and regulations and standards. However, the company needs to ensure these policies are appropriately implemented, enforced, and compliant through monitoring and reporting, communication, and training.
Monitoring and Reporting
It is crucial to monitor and report the e!ectiveness of security policies to reduce the security events and to safeguard company and PHI data. The chief compliance officer (CCO) is responsible for ensuring that the employees understand and comply with regulatory and legal as well as internal company policies.
A security baseline of the state of the systems will be captured and used as the basis for standards to monitor and report current vulnerabilities and security compliance. The baseline will be reset on a per quarterly basis to ensure new threats, technologies, as well as laws and regulations, are captured due to the changing environment (Tuyikeze & Flowerday 2014). The company will do periodic and random audits against the systems to ensure they’re compliant with the baseline (“Part 3: IT Policy Compliance and Compliance Technologies,” 2016).
Monitoring and reporting of the efectiveness of the security policies are done using various technologies to automate the process for efficiency and real-time reporting. If any employee or systems are not compliant, then the company will determine the most appropriate level of intervention based on the severity of the risk posed by non-compliance.
Communication
The company maintains an “open door” policy concerning the information on suspected instances of non-compliance. All employees are encouraged to report any violation of security policies via established web-link www.security.hic-inc.com or contact the compliance notification line at 1-800-555-5555. The company will not retaliate against any individual who reports actual or suspected violations of the laws, regulations, or policies. All reported violations will be handled following confidential company policy to ensure that the identity of the reporting individual is not disclosed except to those persons with an absolute need to know (“HIPAA Privacy & Security Compliance Plan,” 2017).
Training
The security awareness training at HIC, In., is aimed to create a culture that promotes an attitude towards safe security practices that help reduce security events within the company. All employees, including part-time and contractors, are required to complete assigned information security training as well as an annual refresher before the due date specified by the company. New employees are required to complete mandatory information security training before they are given access to the company network.
Failure to complete required information security training will face the consequences up to and including account lockout, employment termination, or contract termination.
References
- HIPAA Privacy & Security Compliance Plan. (2007). Retrieved from https://compliance.iu.edu/doc/hipaa- documents/IU_HIPAA_Compliance_Plan_Final%2001%2030%202017.pdf
- Part 3: IT Policy Compliance and Compliance Technologies. (2016). Retrieved from https://vimeo.com/176385509/7cc70895cf