Best practices that you, the CE, should do to help with passing your audit

  • Document data management, security, training and notification plans.
  • Use a password policy for access.
  • Encrypt PHI, whether it is in a database or in files on a server. Although not required by HIPAA, it is strongly suggested and considered best practice to do so while stored in the database, and especially during transmission. More encryption considerations:
  • Always use SSL for web-based access of any sensitive data.
  • Encryption techniques and mechanisms of sensitive information should be known to only a select few.
  • Content such as images or scans should be encrypted and contain no personally identifying information.
  • Don’t use public FTP – use an alternative method to move files.
  • Only use VPN access for remote access.
  • Use login retry protection in your application.
  • Document a disaster recovery plan
  • Save money and time by hosting with a company that already has a BAA in place – that way your auditor can review the document instead of conducting another audit on top of yours.

Source :Document data management, security, training and notification plans.