LuxSciLuxSci
Secure Email,
Web and Form Solutions
Phone: 800-441-6612
sales@luxsci.com
support@luxsci.com

HIPAA Compliance Checklist: What You Need To Do

Share Post:
More...

LuxSci provides HIPAA-compliant services and must itself maintain HIPAA-compliant business operations in order to comply with HIPAA HITECH and Omnibus regulations.  As such, many of our customers and leads look to us to find out exactly what they need to do to be compliant.

This article provides you with a quick and easy-to-read overview of the various things needed for compliance.  The items given below should not be considered a complete or formal list for compliance, nor will doing all of these things guarantee that you are compliant.  As always, we recommend that you consult a lawyer to determine the compliance needs specific to your particular situation

Once you are ready to proceed with compliance, LuxSci recommends that you appoint a HIPAA compliance officer who will read and understand the federal regulations. You should also seek the help of an attorney familiar with HIPAA who can answer any questions  that you may have and advise you on gray areas.

The HITECH legislation is Title XIII of the 2009 American Recovery and Reinvestment act, and can be found beginning on page 112 in the official document at:http://www.gpo.gov/fdsys/pkg/BILLS-111hr1enr/pdf/BILLS-111hr1enr.pdf

See also: the HIPAA Security rule and the HIPAA Privacy Rule.

What HIPAA Applies To – PHI

HIPAA applies to “PHI” (Protected Health Information).  This is information that identifies who the health-related information belongs to.  I.e. names, email addresses, phone numbers, medical record numbers, photos, drivers license numbers, etc.   If you have something that can identify a user together with health information of any kind (from an appointment, to a list of prescriptions, to test results, to a list of doctors) you have PHI that needs to be protected per HIPAA.  ePHI is merely PHI that is stored or transmitted electronically (i.e. via email, text message, web site, database, online document storage, electronic FAX, etc.).

If you do not work with PHI at all, then HIPAA does not apply to you.

For more details, see: What exactly is ePHI?  Who has to worry about it? Where can it be safely located?

Who HIPAA Applies To – Covered Entities and everyone touching PHI

Covered Entities” include:

  1. Health plans: With certain exceptions, an individual or group plan that provides or pays the cost of medical care.
  2. Health care clearinghouses: An entity that either process or facilitates the processing of health information from various organizations.  I.e. to reformat or process the data into standard formats.
  3. Health care providers: Care, services, or supplies related to the health of an individual, including (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

The HITECH additions to HIPAA extend HIPAA compliance requirements to all Business Associates of Covered Entities.  Further the Omnibus rule requires that all Business Associates of Business Associates to also be compliant.  I.e. everyone in the chain of companies from the Covered Entitles onward needs to be compliant!  Even law firms need to comply with HIPAA were they contact PHI.

Note that individuals (unless they fall into one on of the above categories) do not have to be HIPAA compliant.  So, for example, it is “OK” for a patient to be non-compliant in communicating with his doctor; however, the doctor must be compliant when communicating back and must be compliant with the patient’s communications once received.

Addressable vs. Required

The HIPAA language uses the terms ‘required’ and ‘addressable’. Required (R) means that the given standard is mandatory and, therefore, must be complied with. Addressable (A) means that the given standards must be implemented by the organization unless assessments and in depth risk analysis conclude that implementation is not reasonable and appropriate specific to a given business setting. Important Note: Addressable does not mean optional.

With regard to Addressable, an organization should read and decipher each HIPAA standard separately and deal with each piece independently in order to determine an approach that meets the needs of the organization.

The General Rules of the HIPAA Security Standard reflect a “technology-neutral” approach. This means that there are no specific technological systems to employ and no specific recommendations, just so long as the requirements for protecting the data are met.

How do you know what you need to address? That is “up to you”, but one general rule of thumb is that if there is “risk” you should “address it”.

For example, using encryption when sending ePHI electronically is “Addressable”.  If that ePHI is going over the public Internet and it is not encrypted, then there is substantial risk of disclosure and you certainly should use encryption or could be found willfully negligent and liable if there was ever an issue. If, however, that data is merely traveling between two machines in your office over a private/closed network segment, then there may be no need to encrypt the data flow.

Ignoring HIPAA requirements, addressable or required, is “willful negligence”.  If there is a problem, the penalties in cases of  willful negligence are maximally severe.  Ignorance is no excuse.

HIPAA Administrative Requirements

People and organizations who seek compliance with HIPAA should consider:

  1. Risk Analysis: (R) Perform and document a risk analysis to see where PHI is being used and stored and to determine what all possible ways HIPAA could be violated are
  2. Risk Management: (R) Implement measures sufficient to reduce these risks to an appropriate level.
  3. Sanction Policy: (R) Implement sanction policies for employees who fail to comply.
  4. Information Systems Activity Reviews: (R) Regularly review system activity, logs, audit trails, etc.
  5. Officers: (R) Designate HIPAA Security and Privacy Officers
  6. Employee Oversight: (A) Implement procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees.  Ensure that an employee’s access to PHI ends with termination of employment.
  7. Multiple Organizations: (R) Ensure that PHI is not accessed by parent or partner organizations or subcontractors that are not authorized for access.
  8. ePHI Access: (A) Implement procedures for granting access to ePHI and which document access to ePHI or to services and systems which grant access to ePHI.
  9. Security Reminders: (A) Periodically send updates and reminders of security and privacy policies to employees.
  10. Protection against Malware: (A) Have procedures for guarding against, detecting, and reporting malicious software.
  11. Login Monitoring: (A) Institute monitoring of logins to systems and reporting of discrepancies.
  12. Password Management: (A) Ensure there are procedures for creating, changing, and protecting passwords.
  13. Response and Reporting: (R) Identify, document, and respond to security incidents.
  14. Contingency Plans: (R) Ensure there are accessible backups of ePHI and that there are procedures for restore any lost data.
  15. Contingency Plans Updates and Analysis: (A) Have procedures for periodic testing and revision of contingency plans.  Assess the relative criticality of specific applications and data in support of other contingency plan components.
  16. Emergency Mode: (R) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
  17. Evaluations: (R) Perform periodic evaluations to see if any changes in your business or the law require changes to your HIPAA compliance procedures.
  18. Business Associate Agreements: (R) Have special contracts with business partners who will have access to your PHI to ensure that they will be compliant.  Choose partners that have similar agreements with any of their partners to which they are also extending access.

HIPAA Physical Requirements

  1. Contingency Operations: (A) Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
  2. Facility Security: (A) Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
  3. Access Control and Validation: (A) Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
  4. Maintenance Records: (A) Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security
  5. Workstations: (R) Implement policies governing what software can/must be run and how it should be configured on systems that provide access ePHI. Safeguard all workstations providing access to ePHI and restrict access to authorized users.
  6. Devices and Media Disposal and Re-use: (R) Create procedures for the secure final disposal of media that contain ePHI and for the reuse of devices and media that could have been used for ePHI.
  7. Media Movement: (A) Record movements of hardware and media associated with ePHI storage.  Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

HIPAA Technical Requirements

  1. Unique User Identification: (R) Assign a unique name and/or number for identifying and tracking user identity.
  2. Emergency Access: (R) Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
  3. Automatic Logoff: (A) Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
  4. Encryption and Decryption: (A) Implement a mechanism to encrypt and decrypt electronic protected health information when deemed appropriate.
  5. Audit Controls: (R) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
  6. ePHI Integrity: (A) Implement policies and procedures to Protect electronic protected health information from improper alteration or destruction.
  7. Authentication: (R) Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
  8. Transmission Security: (A) Implement technical security measures to guard against unauthorized access to electronic protected health information that is transmitted over an electronic communications network.

What Else?

Well, that is not all.  That is only a brief summary of many of the major points.  You really need to go back to the legal documents and interpret them as they apply to your specific organization.  Of course, if you can offload some of the ePHI from your office or electronic systems, then you also offload some of the responsibility and requirements.  This is why outsourcing of items like compliant email is very popular.

To read more about various aspects of HIPAA and technologies you may be using, we recommend:

  1. 7 steps to make your web site HIPAA-secure
  2. Gmail and Google Apps – Not HIPAA Compliant Email
  3. Is a FAX document HIPAA Secure?
  4. Is Skype HIPAA Compliant?  If not, what is?
  5. Is Text Messaging HIPAA Compliant?
  6. Jump/Thumb Drives and PHI Don’t Mix
  7. Opt-In Email Encryption is too Risky with HIPAA Omnibus
  8. WordPress for HIPAA and ePHI?  Is that a good idea?

 

Share:
More...

Leave a Comment

You must be logged in to post a comment.

Security Certifications TRUSTe EU Safe Harbor Thawte Extended Validation SSL Certificate McAfee Secure Authorize.net Merchant
• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 BlackBerry
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries