HIPAA Compliance Checklist - Tech Solutions for Businesses
According to HHS, business associates are directly liable for violating the HIPAA Security Rule and Breach Notification Rule as well as certain provisions of the Privacy Rule.
If an implementation specification is described as “required”, it must be fulfilled. Addressable stipulations must be implemented if it is reasonable and appropriate to do so. Plus, the choice must be documented.
Business associates may use any technology solution to align with HIPAA requirements. In deciding which security measure to use, businesses should consider the following factors:
- The size, complexity, and capabilities of their organization.
- The technical infrastructure, hardware, and software security capabilities.
- The costs of security measures.
Having analyzed our experience in healthcare development, we recommend the most suitable technical solutions to comply with HIPAA requirements.
Enable authorized users to access the minimum necessary information needed to perform job functions.
Assign unique IDs for indicating and tracking user identity.
- Use the employee name or its variation (e.g. jsmith).
- A set of random numbers and characters (it is more difficult for an unauthorized user to guess, but may also be more difficult for authorized users to remember and management to recognize).
Provide access to necessary ePHI during emergency conditions (when normal environmental systems, such as electrical power, have been damaged due to a natural or manmade disaster).
If the organization utilizes a cloud-based EHR, the disaster recovery plan addresses disruptions in access to an ISP or cloud-based EHR vendor to ensure the availability of the EHR for both treatment and billing services.
Apply procedures that terminate an electronic session after a predefined period of inactivity.
- Set a 10-minute period of inactivity after which the system will automatically be locked. In case the device is in the high-traffic area, establish a timeout of 2 to 3 minutes. Equipment used in protected areas with controlled, limited access, such as a lab or an isolated office, could have longer timeout periods.
- Activate an operating system screensaver that is password protected after a period of system inactivity.
All collected and stored ePHI should be encrypted and decrypted by the person with the appropriate keys.
- Store the sensitive data in a secure environment with the proper physical and network security.
- Choose file/folder level encryption and full disk encryption for storing confidential info on mobile devices.
- Do not store the password to the PGP or S/MIME key in your system.
- If you store ePHI in a MySQL database you should ensure that the password to that database is not stored in your system.
- Encrypt the data before saving it in the database for extra security stages.
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
Protect ePHI from improper alteration or destruction in an unauthorized manner by both technical and non-technical parties. Thus, workforce members may make incidental changes that improperly alter or destroy ePHI. Data can also be compromised without human intervention that includes electronic media errors or failures.
Implement electronic mechanisms to protect ePHI from alteration or destruction by a virus or other malicious code.
Backup the information in the DB and store it on an external cloud service.
Person or Entity Authentication
Verify that a person or entity seeking access to ePHI is they claim to be.
- Require something known only to that individual, such as a password or PIN.
- The password should be the longest possible (between six and 10+ characters) including a combination of numbers, special characters, and a mixture of upper and lower case letters.
- It should be changed at least every six months or whenever the password becomes known to the other person. And current or previous passwords could not be reused.
- It is possible to implement functionality that will control the password expiration. This logic will prevent users from logging in with an expired password and force them to change it.
- Require using a physical device such as a token, or telephone callback function.
- Require something unique to the individual such as a biometric (e.g. fingerprints, voice patterns, facial patterns or iris patterns).
- Use two-factor authentication:
- By SMS/push notification, a person using a username and password to log into a database also has to insert a PIN code to confirm their identity.
- The request of a fingerprint scan (biometric) with the further entering of a password.
- Integrate with Google Authenticator or similar service.
Prevent unauthorized access to ePHI that is being transmitted over an electronic communications network.
Ensure that ePHI is not improperly modified during transmission (it applies to all individual health information that is maintained or transmitted).
- Use network communication protocols.
- Secure your web-solution with an SSL, PGP or AES encryption.
Do not use FTP to transfer patient data to/from payers and other medical organizations. Choose SFTP instead.
Communication containing PHI (either in the body or as an attachment) that goes beyond an internal firewalled server should be encrypted. It should also be considered that emails containing PHI are part of a patient´s medical record and should, therefore, be encrypted and backed up.
This applies to any form of electronic communication - email, SMS, instant message, etc.
The encryption requirements apply to every part of the IT system, including servers like Amazon Cloud or Microsoft Azure.
NIST recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.
Facility Access Controls
Limit physical access to the electronic information system, while ensuring that properly authorized access is allowed.
Allow facility access to the physical office and stored data even during an emergency.
Define and document the use of physical access control to protect equipment that stores ePHI from unauthorized access and theft.
Control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
Log all the server actions.
Document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
In a small office, documentation may simply be a logbook that notes the date, reason for repair or modification and who authorized it.
In a large organization, various repairs and modifications of physical security components may need to be documented in more detail and maintained in a database.
Restrict the use of workstations that have access to ePHI. Specify the protective surrounding of a workstation. Regulate how functions are to be performed on the workstations that can access ePHI.
- Automatic logoff
- Use and continually update antivirus software.
- Configure web filtering
Device and Media Controls
Manage how ePHI is transferred/removed/disposed from the mobile devices if the user leaves the organization or the gadget is re-used, sold, etc.
The data can be permanently disposed of when needed. Yet, you will have to consider all the places where data can be archived, and you will need to ensure that all of those backups will expire and disappear.
Remove ePHI from electronic media before the media are made available for reuse.
Manual removal of patient data in electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory media, such as backup tape, optical disk, or smart card.
Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
The HIPAA Rules do not dictate where ePHI may or may not be maintained. Thus, BAs are not prohibited from storing PHI outside of the United States (though there are other laws that may restrict the practice of storing PHI offshore; for example, some state Medicaid programs prohibit the offshoring of Medicaid data).
ePHI that is collected, stored and used within your solution has to be backed up. The reserved copy should be stored in a secure environment and according to the best practices, it should have several backups that are stored in different locations.
Also, the copy should be readily retrievable if the hardware or electronic media is damaged.
- Automatic data backup.
- Email archiving.
Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
Administrative Safeguards fall out of the realm of software development, however, there are mandatory guidelines for any business that works with health information. Administrative security tasks involve:
- Appoint security officers who will regularly perform the risk assessment.
- Introduce risk management policies and procedures.
- Train employees on identifying potential cyber attacks and document all training.
- Restrict third-party access to ePHI.
- Develop a contingenсy plan to protect the integrity of ePHI, consider data backups and procedures to restore lost data in case of emergency.
HIPAA Privacy Rules
HIPAA Privacy Rules refer to the use and disclosure of PHI and apply to any healthcare organizations and their business associates. According to the rules, BA may not use, access, or disclose PHI without the patient's consent, except for purposes of treatment, payment or certain health care operation; certain public safety and government functions, including: reporting of abuse and neglect, responding to government investigations, or disclosures to avoid a serious and imminent threat to the individual. However, before making disclosures for such purposes, BA should consult with CE.
Limited data set.
HIPAA Breach Notification Rules
Require BAs to promptly notify the Department of Health and Human Services of small security breaches within 60 days after the breach is discovered. Larger breaches (affecting 500+ patients) must also be reported to the media. Plus, BAs must notify their CE, which in turn must notify the individuals.
Breach notifications should include the following information:
- The nature of the ePHI involved, including the types of personal identifiers exposed.
- The unauthorized person who used the ePHI or to whom the disclosure was made (if known).
- Whether the ePHI was actually acquired or viewed (if known).
- The extent to which the risk of damage has been mitigated.
In all cases, patients must be notified and informed of steps they can take to mitigate potential damage.
Prepare a mass mailing plan for this contingency.
Maintain Required Documentation
Maintain the documents required by the Security Rule for six years from the document’s last effective date. Ensure that you have written training standards as well as written penalties that employees are informed of in the case of a violation.