As we have previously noted, the risk analysis process is an inventory and reporting process. As part of risk analysis, you will determine which safeguards to implement. It's important for the implementation of safeguards to be backed up by security and privacy policies that require them. Security and privacy policies serve as the foundation of your HIPAA framework. Without security and privacy policies, it will be difficult for you to hold individuals accountable for implementing and configuring effective safeguards.
Security and privacy policies are high-level rules of the road for your systems and networks and for the individuals who operate your systems and networks. You want to be able to enforce the HIPAA privacy rule, and to do that, you need policies. Policies are in fact one form of safeguard, and their existence defines the overall safeguards for the entire information technology infrastructure, including all medical records that need to be secured for HIPAA. Security and privacy policies should include roles and responsibilities, and indicate which office administrators, system administrators, doctors , and anyone have privileges to access the information, and update it. Policies should include rules of behavior, as well as configuration guidance, and may include the following systems and technology topics:
Access control devices
Anti-virus software and systems
Applications
Authentication systems
Biotechnology systems
Data classification
DHCP servers
DNS servers
Encryption mechanisms
File & print servers
Firewalls
Gateways
IP addressing
Messaging systems
Network architecture
Operating systems
Physical security
Routers and switches
Virtual private networks (VPNs)
Web services
Security and privacy policies need to be documented, and are not real if they exist only in someone's head. They need to be accessible, and available for reference and updating. It will be tough to hold a systems administrator responsible for enforcing them if they are not known, and are not readily available.