As we have previously noted, the risk analysis process is an inventory and reporting process. As part of risk analysis, you will determine which safeguards to implement. It's important for the implementation of safeguards to be backed up by security and privacy policies that require them. Security and privacy policies serve as the foundation of your HIPAA framework. Without security and privacy policies, it will be difficult for you to hold individuals accountable for implementing and configuring effective safeguards.
Security and privacy policies are high-level rules of the road for your systems and networks and for the individuals who operate your systems and networks. You want to be able to enforce the HIPAA privacy rule, and to do that, you need policies. Policies are in fact one form of safeguard, and their existence defines the overall safeguards for the entire information technology infrastructure, including all medical records that need to be secured for HIPAA. Security and privacy policies should include roles and responsibilities, and indicate which office administrators, system administrators, doctors , and anyone have privileges to access the information, and update it. Policies should include rules of behavior, as well as configuration guidance, and may include the following systems and technology topics:
Access control devices
Anti-virus software and systems
File & print servers
Routers and switches
Virtual private networks (VPNs)
Security and privacy policies need to be documented, and are not real if they exist only in someone's head. They need to be accessible, and available for reference and updating. It will be tough to hold a systems administrator responsible for enforcing them if they are not known, and are not readily available.