HIPAA Security Checklist
HIPAA security compliance needs to be a concern to any company in the healthcare industry. If you want help taking steps toward compliance, the following checklist will lay out everything you need to do.
Understand the Big Picture of Complying with HIPAA
Despite how expansive HIPAA is as a piece of legislation and the fact that it continues to evolve, many companies fall into the trap of oversimplifying it. After all, there are only three categories of safeguards you really need to worry about:
Implementing HIPAA Controls
- Physical
- Technical
- Administrative
Your company may not even need to implement one of them (e.g., a lot of companies don’t have physical duties concerning sensitive data).
Across these three categories, though, there are roughly 50 specifics regarding implementation, so where your company does have safeguards that need implementation there is very little wiggle room.
That being said, while it’s important that you don’t forget about these specifics, it’s also important that you see the forest for the trees. As complicated as HIPAA is at times, it’s only going to become more difficult if you forget its overall goal which is to protect the PHI (Protected Health Information) and ensure that people receive the health care coverage they’re entitled to under federal law.
Keep those targets in mind when you’re implementing security protocols for HIPAA and you’ll have a much easier time with the rest of this checklist.
Choose Someone to Be Your Security Officer
Once you understand what’s required of your organization under the HIPAA security rule, it’s a good idea to decide who can help you with implementation and oversight. Unless you’re an extremely small company, it’s unwise to hand over this vital task to any one person. If nothing else, you’ll want at least one or two other people in charge of ensuring the lead is handling everything in accordance with the law. Otherwise, you’re going to find yourself facing massive penalties and your company will suffer from a serious loss of reputation.
No matter how big your company is, it needs a “Security Officer” to oversee the security rule. This is an HIPAA requirement. While there is some wiggle room in terms of what their job will entail, we recommend:
- Making the security rule their full-time priority if possible.
- At the very least, it should be something they address on a regular basis.
- The person needs to already be familiar with your company.
- Take their education seriously. As we’ve already touched on, HIPAA isn’t a simple set of guidelines. The legislation is comprehensive and has been modified every few years since its inception. Make sure that your security officer is up to the task of learning what HIPAA requires, implementing these demands and adapting to changes over time.
As we mentioned, your security officer should have someone to answer to – someone who can make sure they’re doing their job correctly and who will conduct regular audits. Though it’s not required under HIPAA, it could make a huge difference.
Another position that HIPAA never mentions – but that we wholeheartedly recommend – is someone to handle documentation of HIPAA security compliance.
Pick someone for the job with the following traits:
- Proficient writing skills
- A history of being organized
- Comfortable with adapting to change
They’ll most likely need to come up with their own system, unique to your company, and update it over time.
Although most people associate HIPAA security requirements with taking specific actions, they also demand that you document what your company has done to remain in compliance and what you have planned to continue doing this in the future.
This type of thorough documentation is required by HIPAA as part of their administrative safeguards. Again, that doesn’t mean you need to assign this task to someone as their job – the security officer could do it – but if you have the resources, having a separate person for the role is going to be best.
Implement the Basics of Security
HIPAA security requirements involve a number of measures you must take to keep protected health information (PHI) safe, especially in light of the many challenges presented by the digital age. While there are all kinds of expensive and complex protocols you can implement to keep your data secure, don’t forget about the relatively inexpensive and far simpler tools that make up the basics of digital security.
These are:
- Installing a firewall
- Using antimalware protection
- Requiring MFA (multifactor authentication) and strong passwords
- Teaching your staff about phishing and other common methods for gaining access to PHI
We’re not suggesting that these steps are sufficient in and of themselves. Again, there are certain HIPAA security standards you must observe. However, if you don’t take this checklist of fundamentals seriously, then your company may spend all kinds of time and money on the newest digital safeguards only to end up failing the most basic HIPAA security assessment.
Take an Inventory of PHI
It is so important that you actually understand what PHI your company has access to. For one thing, depending on what type of organization you run, there is only a certain amount your company needs to access. Be sure your staff isn’t able to see any more PHI than they absolutely need to in order to do their job. This is a common violation you can bet will be a part of any audit carried out by the Office of Civil Rights.
Next, you want to do your own HIPAA security assessment and see who in your company has access to what. This is something you’ll want to do whenever employees change roles or the nature of a role changes. You can’t risk granting more PHI access than an employee truly needs to do their job.
For your security assessment:
- Begin by deciding which job roles need access to what kind of PHI.
- Assign access accordingly.
- Track this in an Excel sheet.
- Whenever an employee is moved, check to see if their access is still appropriate by comparing their old role to their new one.
Make sure there is more than one copy of this Excel sheet and that the security ifficer is able to access it.
Map Out Data Flows
Now that you understand the types of access everyone needs and have confirmed it’s being used properly, you must document where and how your PHI is stored. Mapping out the flow means literally documenting how PHI is transferred throughout your company. It also means not just who has access, but how they go about accessing the PHI.
You’re not just documenting this, though. You also want to identify any weaknesses where this flow of information is vulnerable. This will address the technical safeguards and physical safeguards required for HIPAA security compliance.
Here is a checklist to use for this initial audit. We suggest going through it two or three times a year or whenever your treatment of PHI changes.
- How does our company receive access to PHI?
- How does our company disseminate the PHI to employees?
- Where is our system vulnerable to hacks or inappropriate access?
If your company is involved in a relationship between a covered entity and a business associate, then you have to understand how HIPAA security standards for your organization actually apply outside of its walls, too. The law requires special steps on your end to ensure that HIPAA security expectations are included in contracts signed with these other parties.
Understand the Difference Between Addressable and Required Specifications
Most of the HIPAA security standards you need to worry about involve policies and procedures your company must put in place to safeguard PHI. These are required specifications and, of course, it’s important you implement them and adhere to their provisions.
This is where you get into the addressable specifications of the HIPAA security rule. Mainly, your company must also have an HIPAA security assessment protocol in place. In addition to carrying it out to ensure you’re in compliance with the law, the practice must also include taking steps necessary to address any vulnerabilities you found and/or mitigate risks you came across.
To date, one of the largest penalties that has been assessed in relation to HIPAA was not because an actual event occurred (e.g., PHI was stolen), but because an organization wasn’t taking necessary steps to address the very possibility of such an event.
Keep that in mind when you’re carrying out these assessments. HIPAA security requirements place a premium on effort.
Fortunately, the government actually provides a checklist for HIPAA security requirements that even lists which are required and which are addressable.
Implement a Systematic Approach
If all of the above is beginning to feel a bit overwhelming to the point that you’re now worried about HIPAA security compliance, remember that countless companies have managed to stay on the right side of the law for over 20 years now.
It will also help if you take the time to put together a systematic approach before you begin with the two specifications we just mentioned. This doesn’t have to be very complicated or difficult either:
- Start by identifying the potential threats that your company can reasonably anticipate
- Then, review the security measures you have in place to prevent these from occurring and document what they are.
- Next, figure out the likelihood of these events occurring in the first place, what their potential impact would be and how much risk they present to your organization.
- Once you have this information, prioritize the risks that must be addressed immediately because they stand the best chance of occurring and having a serious impact.
- Document these findings and what actions your company is taking as a result.
This last part of the checklist – the documentation – will be an ongoing task as you work your way through the list of risks and figure out ways to mitigate them.
Encrypt All of Your Data
In this day and age, there is just no excuse for not using data encryption. Even organizations that never touch PHI should be encrypting everything, but this is especially true for companies that fall under HIPAA rules.
Think about how many of your employees use portable devices as part of their job:
- Laptops
- Portable Drives
- Mobile Devices
- Tablets
Then consider that, according to reports, half of all records that are exposed through data breaches are stored on mobile devices.
If you could do only one thing to keep your company out of trouble with the Department of Health and Human Services (DHHS), it should be to encrypt all protected health information on any data container that might leave the office at some point.
Stolen data that has been through encryption in accordance with the HIPAA Omnibus Final Rule is absolutely useless to a hacker. Furthermore, because you encrypted it, your company won’t face any penalties or be subject to patient-notification rules.
As we touched on at the beginning of the section, your company should already be using encryption, but it’s still wise to speak with your network security provider or IT officer to ensure that you’re following HIPAA’s encryption guidance.
Have a Plan for the Future
HIPAA security requirements aren’t just a one-time thing you can see to and then never touch on again. Hopefully, by now, it’s become clear that HIPAA security compliance is something you need to continually invest in over time.
In fact, this is something the law is quite clear about. Your security officer needs to regularly revisit your compliance efforts to make sure they are still relevant in light of any new threats or changes to the company or industry.
The person you put in charge of documentation should also be a part of this. They will need:
- A complete and systematic approach to documenting these attempts at improving your company’s security.
- Solid documentation for conducting these reviews in the future without overlooking any important elements.
- Constant reports to management to show their efforts and progress.
Continuous security awareness training for your employees is important, as well. Obviously, every new employee must be trained, but as HIPAA continues to be revised and cyberattacks evolve, your staff will need help understanding what’s expected of them. Security awareness training should include solid, hands-on knowledge of phishing risks and tactics through a program such as PhishSim by SecurityIQ.
Seek the Help of an Expert
Following HIPAA security standards can be tough and, even though we’ve tried to simplify things a bit with this checklist, it still may be a good idea to seek the help of a seasoned expert. If nothing else, you can pay a consultant to come in and do a comprehensive HIPAA security assessment of your company and find any holes in your attempts before the government – or a malicious party – does.
Of course, you can also hire a third party (such as a consultancy) to help your company implement HIPAA security measures from the ground up. They can literally give you a set of tasks you have to carry out relative to the industry you’re in and the unique aspects of your company, install necessary security software platforms, and more. This is an especially attractive option for small businesses or new companies that don’t want to waste time meeting compliance.
While the above is a lot to take in, it’s important you get started right away. As we mentioned earlier, the largest fine so far was levied on a company that simply didn’t make an effort to keep information safe. Although the end goal should be total security and compliance, you could find yourself in trouble just for not making compliance a main priority.
Sources
http://www.hipaaone.com/hipaa-security-checklist/
http://www.healthcareinfosecurity.com/essential-guide-to-hitech-act-a-2053
https://www.ihs.gov/hipaa/documents/ihs_hipaa_security_checklist.pdf
Implementing HIPAA Controls
https://www.healthit.gov/sites/default/files/comments_upload/hipaa-security-checklist.pdf