The COVID-19 pandemic ravaged the healthcare industry in 2020, and cybercriminals were quick to take advantage of the dire circumstances to launch cyberattacks on healthcare organizations to steal electronic protected health information (ePHI). According to Check Point Software, global attacks on the healthcare sector increased by 45% in 2020.
This finding underscores the importance of complying with the security regulations of the Health Insurance Portability and Accountability Act (HIPAA) if your business provides healthcare services or is partnered with a healthcare organization.
What Is HIPAA?
Introduced in 1996, HIPAA is a security standard designed to protect the private health information of a patient from being used and shared without that patient's consent or knowledge. Failure to comply with HIPAA standards can result in hefty fines, even if no data breach occurred. If a data breach did happen, your company can face civil action lawsuits and criminal charges.
HIPAA highlights administrative, physical, and technical safeguards that covered entities and business associates must implement to ensure the safety of ePHI. Covered entities include healthcare providers, medical insurance providers, and healthcare clearinghouses that store and transmit ePHI. Business associates, on the other hand, are organizations or individuals that have access to ePHI while working together with covered entities.
HIPAA Compliance Checklist
If you're looking to achieve HIPAA compliance or simply want to know if your organization is following HIPAA standards, use this HIPAA compliance checklist for IT as your guide.
Administrative Safeguards
Administrative safeguards center on policies, procedures, internal organization, and maintenance of security protocols used to keep ePHI safe. These include:
|
Specification |
Required or Addressable* |
Details |
|
Performing risk assessments |
Required |
Risk assessments must be performed to identify every area where ePHI is used and determine how those areas can be safeguarded from data breaches. |
|
Developing a risk management policy |
Required |
This policy will ensure risk assessments are performed at regular intervals with measures on how to minimize risks to a manageable level. This risk management policy must also include sanctions for employees who don't observe HIPAA regulations. |
|
Conducting training sessions |
Addressable |
Training sessions must be performed regularly to raise awareness about the rules and regulations on accessing ePHI and to provide information on how to identify malware and other cyberthreats. |
|
Creating a contingency plan |
Required |
A contingency plan will allow your business to continue operating and protecting ePHI in the event of an emergency such as a natural disaster, cyberattack, or utility outage. |
|
Testing the contingency plan |
Addressable |
Regularly testing the contingency plan allows covered entities and business associates to evaluate its effectiveness. This plan must also contain the location of accessible ePHI backups and procedures on how to restore lost information after an emergency. |
|
Limiting third-party access |
Required |
Only authorized personnel should be granted access to ePHI. Business partners that require access to ePHI should first sign business associate agreements. |
|
Reporting cybersecurity incidents |
Addressable |
Reporting cybersecurity incidents will allow covered entities and business associates to contain the incidents and save patient data before they turn into full-blown data breaches. |
*Required safeguards are safeguards that must be implemented, whereas addressable safeguards largely depend on a covered entity's and business associate’s risk analysis, risk mitigation plan, and other cybersecurity measures that are already in place.
Physical Safeguards
Physical safeguards focus on the physical measures, procedures, and policies used to safeguard a covered entity's data system, equipment, and buildings from unauthorized access such as:
|
Specification |
Required or Addressable |
Details |
|
Implementing facility access controls |
Addressable |
This controls who can physically access areas where ePHI is kept, such as maintenance personnel, software engineers, and more. The controls must also contain regulations to prevent unauthorized physical access, theft, and tampering of ePHI. |
|
Creating policies for the positioning and use of workstations |
Required |
Use of workstations with access to ePHI must be limited to authorized personnel only. Additionally, these policies must also specify how workstations are physically protected and control how tasks are performed on them. |
|
Developing rules for mobile devices |
Required |
This focuses on how ePHI is removed from authorized mobile devices should an employee leave the company, or if the device is sold or reused. |
Technical Safeguards
According to HIPAA, technical safeguards refer to the technologies and procedures covered entities and business associates must implement in order to create a secure IT environment where ePHI can be stored and handled safely. Such safeguards include:
|
Specification |
Required or Addressable |
Details |
|
Implementing access controls |
Required |
Each user must be assigned their own unique login credentials. This lets covered entities and business associates monitor user activity and hold them accountable for tasks performed involving ePHI while logged in. |
|
Developing a system to authenticate ePHI |
Addressable |
This system will be used to determine whether ePHI has been modified or destroyed without authorization. |
|
Leveraging encryption and decryption tools |
Addressable |
The devices used by authorized personnel must be capable of encrypting messages when they are sent beyond the perimeter of your organization and decrypt the same messages when received. |
|
Creating audit controls and activity logs |
Required |
This allows covered entities and business associates to monitor who is trying to access ePHIand what is being done with that information after being accessed. |
|
Enforcing auto logoff of computers and other devices |
Addressable |
Authorized personnel must be logged off their workstation or device after a set period to prevent unauthorized individuals from accessing ePHI, especially if the said workstation or device is left unattended. |
Complying with HIPAA regulations will ensure patient data is protected, helping you avoid paying costly fines and lawsuits. If you're not sure whether your infrastructure can safeguard ePHI, partner with a trusted managed IT services provider like Charles IT. Our IT security experts will evaluate your network to identify compliance risks and recommend plans for improvement. Call us today to learn more about our HIPAA compliance assessment services.
