Does your business work with any organizations in the healthcare industry? If so, there’s a good chance you’re subject to the Health Insurance Portability and Accountability Act (HIPAA). Designed to protect the transfer and storage of electronic Protected Health Information (PHI), HIPAA consists of a series of checks, balances, and guidelines that organizations are required by law to follow.
Failure to comply with HIPAA can result in substantial fines being leveled at your business. If a breach of PHI occurs, it could even result in criminal charges or civil lawsuits. Suffice it to say, you don’t want to be noncompliant.
That’s where we come in. Today, we’re going to go over a checklist of everything you need to comply with HIPAA. Before we begin, however, it’s important to clarify that under HIPAA, there are two types of organizations.
Covered entities are businesses that work directly with PHI, such as healthcare providers, health plan clearinghouses, or health insurance agencies. Business associates, meanwhile, provide services to or perform functions for covered entities. Associates include IT contractors, storage service providers, email encryption services, and so on.
Before working with a covered entity, business associates must first sign a Business Associate Agreement. This states exactly what data they can access, how they will use that data, and that it will be either returned to the covered entity or destroyed once their task is finished. Beyond that, associates and covered entities largely must comply with the exact same list of requirements under HIPAA.
Whether you’re a covered entity or a business associate, you must do the following under HIPAA.
- A unique name or number to each user with access to PHI.
- Solid procedures for obtaining PHI during an emergency.
- Automatic logoff that terminate sessions after a set period of inactivity.
- Monitor and log all activity connected to PHI in a way that’s easily searchable.
- Protect all data with at least AES 256-bit encryption both in-transit and at-rest.
- Ensure PHI is not altered or destroyed without proper authorization.
- Ensure electronically-transmitted PHI is not improperly modified.
- Ensure all users attempting to access PHI are properly authenticated.
- Ensure PHI is thoroughly erased from systems that are no longer in use.
- Perform a regular, thorough risk analysis regarding where PHI is stored and how it is used. Implement measures to reduce the risks you uncover.
- Procedures to determine an employee’s access to PHI is appropriate.
- Procedures for terminating access to PHI when an employee leaves your organization.
- Identify and respond to suspected or known security incidents, and mitigate any predictable threats to PHI.
- Create sanctions for employees who fail to comply with HIPAA.
- Ensure all activity is regularly reviewed, including system activity, audit trails, and access logs.
- Ensure all employees with access to PHI are properly supervised and monitored.
- Prevent access to PHI by organizations that are not Business Associates.
- Ensure systems are in place to periodically remind employees of your security processes and procedures.
- Incorporate procedures that protect against, detect, and report malicious software.
- Monitor all logins and access logs, and
- Ensure you have procedures in place
- Perform regular evaluations to see if changes in your business or the law require you to change your procedures.
- (Covered Entities Only): sign contracts with business partners who will have access to PHI to ensure they are compliant.
- Mandate that all employees create strong passwords, and that they regularly change those passwords.
- Designate a HIPAA Security Officer
- Designate a HIPAA Compliance Officer
- Periodically test and update all contingency plans and security procedures.
- Create a process for identifying and reporting security incidents. This contingency plan should include
- How you will notify impacted individuals of an incident
- Who is responsible for investigating the breach and ensuring it doesn’t happen again
- The timeframe in which you should notify shareholders and clients of a breach (no later than 60 days after the incident occurs)
- Create security awareness training procedures.
- Procedures for the backup, storage, and retention of PHI.
- An access-controlled server room, which should include…
- Uniformed guards
- Security cameras
- Digital and/or physical locks
- Governance on when, how, and to whom physical access is granted.
- Documentation of all modifications to your physical facility.
- Processes to prevent unauthorized individuals from accessing your server room, including…
- ID cards and visitor’s badges
- Biometric verification
- Keycodes or digital locks requiring login data
- Additional verification safeguards, such as requiring guards to call a company to ensure an individual actually works for them.
- Policies and procedures that define…
- How desktops, laptops, mobile devices, or tablets (workstations) can access data and what they can do with that data.
- How each workstation is used beyond accessing data – for example, a certain piece of software might not be authorized to run if other software is running in the background.
- When and where workstations can be used to access PHI
- How workstations are to be protected against theft and intrusion
- How data is to be removed from workstations that are no longer in-use.
- How old hardware is to be disposed of, and how you will ensure all data is completely wiped from it.
- Documentation of all physical media used to access or manage PHI.
- Backup of data on all workstations.
- Ensure physical access to your data storage locations in the event of an emergency.
Ultimately, what HIPAA boils down to is that you need to do everything in your power to protect PHI data. By limiting the extent to which data is shared and accessed, ensuring all physical devices are controlled and protected, holding your partners and vendors accountable for their own security, and implementing a security training program, you should have no trouble complying. If there’s any point at which you’re uncertain if you’re compliant, you can simply go through this checklist.Follow Liberty Center One: