A HIPAA compliance checklist for IT teams
As the digital transformation of healthcare continues to gain ground, adherence to the health insurance portability and accountability act (HIPAA) is more important than ever. The threats are real, and healthcare is a top target for attackers, so it’s never too soon to reevaluate your compliance posture.
That’s why we’ve put together a quick checklist to help guide you through the main steps.
HIPAA compliance and information technology
When HIPAA became law in 1996, things like cloud computing, telemedicine, and the internet of things (IoT) were practically unheard of. Because of this, HIPAA is intentionally vague when it comes to precisely which controls need to be put in place to achieve compliance. That said, the same broad measures still apply, although they must be applied using modern solutions. The following is a HIPAA compliance checklist for IT teams:
#1. Technical safeguards
Technical safeguards refer to the technical controls used to protect electronic protected health information (ePHI). Businesses are free to choose whichever mechanisms they want, as long as they ensure the following:
- Access control
Access control governs the methods for accessing and disclosing PHI. This includes enforcing a strong password policy, preferably reinforced by multifactor authentication (MFA) to add an extra layer of security.
- Audit control
Audit controls refer to visibility into the movement of ePHI within and outside your organization. This includes tracking all attempts to access and transmit the information, thus making it easy to detect potential breaches of policy.
- Integrity control
Integrity control governs the availability and accuracy of ePHI and the measures taken to keep it safe from threats like unlawful manipulation or accidental loss. Typically, this involves safely backing up data and maintaining multiple redundant copies on independent systems.
- Transmission control
Data is often vulnerable during transmission, especially in the case of today’s remote workers, who may be using unsecured wireless networks and protocols. To stop attackers intercepting data in transit, end-to-end encryption must be applied to all communications.
#2. Physical safeguards
With today’s cloud-based and virtualized computing infrastructures, it is often difficult to figure out exactly where your data physically resides. However, you still need to know where your data lives in order to ensure the systems storing it are secure from physical theft or damage.
- Facility access
Facility access includes things like locked doors and keycards used to protect server rooms. These controls should also apply to cloud-hosted servers, in which case your service provider should be willing to offer evidence of their efforts to uphold physical security.
- Device access
It is now commonplace for healthcare workers and their associates to access sensitive data from their mobile devices, including their own. These devices must be secured, but to achieve maximum security, it is best to avoid storing sensitive data on mobile devices themselves.
#3. Administrative safeguards
Administrative safeguards refer to the various policies and procedures implemented to ensure the safety and privacy of ePHI. These require oversight from a dedicated security and privacy officer, who will also be responsible for enforcing the correct conduct of their workforces.
- Risk management
One of the first tasks in achieving HIPAA compliance is to identify the risks facing your data. Risk management involves building a complete inventory of every area and system that you use to store or transmit PHI before determining all the ways data breaches could occur. This risk assessment will serve as a foundation for your remediation strategy thereafter.
- Security personnel
Cybersecurity is, first and foremost, about people rather than technology. Every compliance program needs leadership and accountability to succeed, which is why HIPAA requires every covered entity and business associate to have a designated security officer and privacy officer. One person can be responsible for both these roles, and it does not have to be a new hire.
- Information management
Information management refers to the responsible governance of ePHI. This process involves managing data throughout every stage of its lifecycle, from the moment it is created to when it is ultimately retired. Administrators must also restrict third-party access, classify their data assets according to confidentiality levels, and maintain complete visibility and control of them.
- Security awareness training
Most threats exploit human ignorance or unpreparedness rather than technical vulnerabilities, which is why no information security or privacy program is complete without proper training. HIPAA requires organizations to train their employees to raise awareness of the policies and procedures put in place to protect ePHI.
Related Article: Why HIPAA Compliance Training is Critical for Your Business
- Periodic assessments
Finally, administrators must conduct periodic risk assessments to ensure that their supporting compliance documents are up to date and that their technical, physical, and administrative safeguards are still relevant. Ideally, organizations should conduct risk assessments at least once per year or following any major changes to their technical environments or operational policies.
Charles IT provides comprehensive HIPAA compliance assessments and security services to protect your organization from data leaks and other cyberthreats. Contact us today to find out more.