HIPAA Compliance Checklist: What You Need To Do
LuxSci provides HIPAA-compliant services and must itself maintain HIPAA-compliant business operations in order to comply with HIPAA HITECH and Omnibus regulations. As such, many of our customers and leads look to us to find out exactly what they need to do to be compliant.
This article provides you with a quick and easy-to-read overview of the various things needed for compliance. The items given below should not be considered a complete or formal list for compliance, nor will doing all of these things guarantee that you are compliant. As always, we recommend that you consult a lawyer to determine the compliance needs specific to your particular situation.
Once you are ready to proceed with compliance, you are required to appoint a “HIPAA compliance officer” who will read and understand the federal regulations. You should also seek the help of an attorney familiar with HIPAA who can answer any questions that you may have and advise you on gray areas.
The HITECH legislation is Title XIII of the 2009 American Recovery and Reinvestment act, and can be found beginning on page 112 in the official document at:http://www.gpo.gov/fdsys/pkg/BILLS-111hr1enr/pdf/BILLS-111hr1enr.pdf
What HIPAA Applies To – PHI
HIPAA applies to “PHI” (Protected Health Information). This is information that identifies who the health-related information belongs to. I.e. names, email addresses, phone numbers, medical record numbers, photos, drivers license numbers, etc. If you have something that can identify a user together with health information of any kind (from an appointment, to a list of prescriptions, to test results, to a list of doctors) you have PHI that needs to be protected per HIPAA. ePHI is merely PHI that is stored or transmitted electronically (i.e. via email, text message, web site, database, online document storage, electronic FAX, etc.).
If you do not work with PHI at all, then HIPAA does not apply to you.
For more details, see: What exactly is ePHI? Who has to worry about it? Where can it be safely located?
Who HIPAA Applies To – Covered Entities and everyone touching PHI
Covered Entities” include:
- Health plans: With certain exceptions, an individual or group plan that provides or pays the cost of medical care.
- Health care clearinghouses: An entity that either process or facilitates the processing of health information from various organizations. I.e. to reformat or process the data into standard formats.
- Health care providers: Care, services, or supplies related to the health of an individual, including (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
The HITECH additions to HIPAA extend HIPAA compliance requirements to all Business Associates of Covered Entities. Further the Omnibus rule requires that all Business Associates of Business Associates to also be compliant. I.e. everyone in the chain of companies from the Covered Entitles onward needs to be compliant! Even law firms need to comply with HIPAA were they contact PHI.
Note that individuals (unless they fall into one on of the above categories) do not have to be HIPAA compliant. So, for example, it is “OK” for a patient to be non-compliant in communicating with his doctor; however, the doctor must be compliant when communicating back and must be compliant with the patient’s communications once received.
Addressable vs. Required
The HIPAA language uses the terms ‘required’ and ‘addressable’. Required (R) means that the given standard is mandatory and, therefore, must be complied with. Addressable (A) means that the given standards must be implemented by the organization unless assessments and in depth risk analysis conclude that implementation is not reasonable and appropriate specific to a given business setting. Important Note: Addressable does not mean optional.
With regard to Addressable, an organization should read and decipher each HIPAA standard separately and deal with each piece independently in order to determine an approach that meets the needs of the organization.
The General Rules of the HIPAA Security Standard reflect a “technology-neutral” approach. This means that there are no specific technological systems to employ and no specific recommendations, just so long as the requirements for protecting the data are met.
How do you know what you need to address? That is “up to you”, but one general rule of thumb is that if there is “risk” you should “address it”.
For example, using encryption when sending ePHI electronically is “Addressable”. If that ePHI is going over the public Internet and it is not encrypted, then there is substantial risk of disclosure and you certainly should use encryption or could be found willfully negligent and liable if there was ever an issue. If, however, that data is merely traveling between two machines in your office over a private/closed network segment, then there may be no need to encrypt the data flow.
Ignoring HIPAA requirements, addressable or required, is “willful negligence”. If there is a problem, the penalties in cases of willful negligence are maximally severe. Ignorance is no excuse.
HIPAA Administrative Requirements
People and organizations who seek compliance with HIPAA should consider:
- Risk Analysis: (R) Perform and document a risk analysis to see where PHI is being used and stored and to determine what all possible ways HIPAA could be violated are
- Risk Management: (R) Implement measures sufficient to reduce these risks to an appropriate level.
- Sanction Policy: (R) Implement sanction policies for employees who fail to comply.
- Information Systems Activity Reviews: (R) Regularly review system activity, logs, audit trails, etc.
- Officers: (R) Designate HIPAA Security and Privacy Officers
- Employee Oversight: (A) Implement procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee’s access to PHI ends with termination of employment.
- Multiple Organizations: (R) Ensure that PHI is not accessed by parent or partner organizations or subcontractors that are not authorized for access.
- ePHI Access: (A) Implement procedures for granting access to ePHI and which document access to ePHI or to services and systems which grant access to ePHI.
- Security Reminders: (A) Periodically send updates and reminders of security and privacy policies to employees.
- Protection against Malware: (A) Have procedures for guarding against, detecting, and reporting malicious software.
- Login Monitoring: (A) Institute monitoring of logins to systems and reporting of discrepancies.
- Password Management: (A) Ensure there are procedures for creating, changing, and protecting passwords.
- Response and Reporting: (R) Identify, document, and respond to security incidents.
- Contingency Plans: (R) Ensure there are accessible backups of ePHI and that there are procedures for restore any lost data.
- Contingency Plans Updates and Analysis: (A) Have procedures for periodic testing and revision of contingency plans. Assess the relative criticality of specific applications and data in support of other contingency plan components.
- Emergency Mode: (R) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
- Evaluations: (R) Perform periodic evaluations to see if any changes in your business or the law require changes to your HIPAA compliance procedures.
- Business Associate Agreements: (R) Have special Omnibus-compliant contracts with business partners who will have access to your PHI to ensure that they will be compliant. Choose partners that have similar agreements with any of their partners to which they are also extending access.
HIPAA Physical Requirements
- Contingency Operations: (A) Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
- Facility Security: (A) Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
- Access Control and Validation: (A) Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
- Maintenance Records: (A) Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security
- Workstations: (R) Implement policies governing what software can/must be run and how it should be configured on systems that provide access ePHI. Safeguard all workstations providing access to ePHI and restrict access to authorized users.
- Devices and Media Disposal and Re-use: (R) Create procedures for the secure final disposal of media that contain ePHI and for the reuse of devices and media that could have been used for ePHI.
- Media Movement: (A) Record movements of hardware and media associated with ePHI storage. Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
HIPAA Technical Requirements
- Unique User Identification: (R) Assign a unique name and/or number for identifying and tracking user identity.
- Emergency Access: (R) Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
- Automatic Logoff: (A) Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
- Encryption and Decryption: (A) Implement a mechanism to encrypt and decrypt electronic protected health information when deemed appropriate.
- Audit Controls: (R) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
- ePHI Integrity: (A) Implement policies and procedures to Protect electronic protected health information from improper alteration or destruction.
- Authentication: (R) Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
- Transmission Security: (A) Implement technical security measures to guard against unauthorized access to electronic protected health information that is transmitted over an electronic communications network.
Well, that is not all. That is only a brief summary of many of the major points. You really need to go back to the legal documents and interpret them as they apply to your specific organization. Of course, if you can offload some of the ePHI from your office or electronic systems, then you also offload some of the risk, responsibility, and requirements. This is why outsourcing of items like compliant email is very popular.
To read more about various aspects of HIPAA and technologies you may be using, we recommend:
- What exactly does HIPAA say about Email Security?
- If my web site is very simple, do I have to worry about HIPAA compliance?
- What exactly is ePHI? Who has to worry about it? Where can it be safely located?
- Willful Negligence of HIPAA Costs a Dermatology Company $150,000
- HIPAA Compliant Email Marketing