Definitive Guide To HIPAA Security Rule + Checklist

Jocelyn Samuels, Director of Office of Civil Rights (Dr-OCR), sounded an alarm in February 2016 about HIPAA compliance violations. She went on record to say:

”While OCR prefers to resolve issues through voluntary compliance, […] we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules”

This is not just a blanket statement. Its effects have been seen far and wide. Just ask the University of Texas MD Anderson Cancer Center.

They paid fines of over $4.3 million in June 2018 for lack of encryption on their own ePHI storage devices. In the largest-ever HIPAA violation, Advocate Health Care Network settled HIPAA penalties for $5.5 million in February 2017.

They had lost data of approximately 4 million individuals in 3 separate data breaches. Healthcare companies and vendors have spent over $75 million in HIPAA non-compliance fines since 2016.

The stringent stance of the OCR makes it mandatory to follow all the tenets of HIPAA Compliance Checklist.

One of the core components of HIPAA Compliance is the HIPAA Security Rule Checklist. It provides physical, technical, and administrative safeguards for electronically protected health information (ePHI) when developing healthcare software.

The security rule is an important tool to defend the confidentiality, integrity, and security of patient data. 

Defining the Roles Considered for HIPAA Compliance

The two most important actors in the HIPAA Compliance protocols are:

1. Covered entities (CE) 

A covered entity (CE) is any person, institution, or organization involved in ePHI exchange for medical billing and insurance purposes. This includes healthcare providers, healthcare clearinghouses, and health plans.

A hospital maintaining ePHI for its employees is generally not considered a CE.

However, the hospital may provide an employee health cover (or an employee assistance program) for its employees.

This hospital is then covered under HIPAA as a ‘hybrid entity’ (HE). A breach of this data (part of the employee benefits program) is still considered a HIPAA Breach Incident and must be promptly reported. 

2. Business associates (BA) 

A business associate (BA) provides an extension service to a CE. This could be any person/institution/organization who has access to the ePHI as part of its service to CE. Typically, following associates to the CE are considered as BA:

  • Accountants
  • Lawyers
  • IT Partners
  • Cloud service providers
  • Any other type of service provider with access to ePHI

CE can engage third-party BA as per their own business requirement, such as HIPAA compliant hosting. However, they must get a signed assurance that the BA understands the rules and is ready to take measures to enforce those rules.

What is covered under the HIPAA Security Rule Checklist?

HIPAA Security Rule applies to all covered entities and business associates and has many moving parts to it.

Administrative safeguards under HIPAA Security Rule

1. Security Management Process

CEs must ensure appropriate policies and procedures are in place to detect, correct, and contain security violations. They must employ the procedures of the Risk Management Framework on an ongoing basis.

The framework should also be used when implementing any new policy that uses of ePHI directly or indirectly. 

2. Workforce security and Information Access Management

CEs must also ensure which employee role requires what kind of access to a patient’s ePHI and take concrete steps to enforce access control.

This implies that ePHI must be not be accessed freely but only on need basis. It may involve regular updating of data permissions on a case-by-case basis.

3. Security Awareness and Training

All those who have access to ePHI at any time (and for any amount of time) must be trained in what rules to follow and how to follow them.

4. Assigned Security Responsibility

The responsibility of complying with HIPAA Security Rules must be assigned to a security officer. The CE must provide a secondary security officer as a backup in the absence of primary security officer.

5. Security Incident Procedures

All security incidents or breaches must be promptly and thoroughly reported. Additionally, the CE can also setup processes to prevent these incidents from occurring in the first place.

These security support systems help predict and prevent security incidents before they occur.

6. Contingency Plans

The contingency plan must include the following:

  • A disaster recovery plan
  • A data backup plan
  • A plan to maintain normalcy (or near-normalcy) of operations in the event of a breach

The CE must also regularly update these plans to keep pace with the evolving HIPAA regulations. The standard also defines how to handle critical software applications involved in the breach.

7. Evaluation 

The HIPAA Security Rules may go through minor or major changes. Regular evaluation of the CE’s security protocols ensures that they stay in sync with these changes.
8. Contracts with Business Associates (BAs)
To engage the BA into its service, the CE must sign an agreement with them. This agreement must explicitly state:
  • What ePHI will the BA have access to during the course of the agreement
  • How it will be used
  • How the BA plans to destroy/return the data after the agreement ends

So, the BA also effectively becomes a CE for the purpose of the agreement.

Physical safeguards under HIPAA Security Rule

The CE must lock their server rooms and have their access controlled and audited regularly. They can also use an appropriate number of CCTV cameras to track server room usage.

The CE must also password-protect all its computers or storage devices (in all the departments) that it uses in its IT process.

Security measures should also ensure these passwords are not weak and that users update them on a monthly (or quarterly) basis.

All the access standards are equally applicable to:

  • desktops and laptops inside and outside the premises. 
  • all types of removable storage drives (USB drives, internal and external hard drives) used with these devices.

Technical safeguards under HIPAA Security Rule

Technical safeguards typically would be developed into your healthcare application. Your software development company should be the ones to implement these.

1. Access controls

Access to all devices and documents that store and process ePHI must be granted on a need-only basis. The CE must also regularly audit access control lists to address any discrepancies in access without delay.

2. Audit Controls

In the case of a data breach, the CE must be able to show the complete trail of the breach – including who accessed what data and when. The audit report must include enough information to prove exactly how the breach occurred.

3. Integrity

The CE must be able to prove that it fully protects all the ePHI that its facility exchanges or stores from internal as well as external threats. When required, the CE must readily provide proof of access to breached documents.

4. Secure Transmission

The CE must secure transmission of data and access to this data at the receiving site by using appropriate security protocols. When required, the CE must be able to furnish proof of transmission security levels.

5. Personal Authentication

The CE should be able to securely prove that the person accessing the information is using only his/her own credentials. What this means is that employees must not share or lose their login credentials. 

CEs must control access to ePHI through advanced authentication methods like retina scans, 2-factor authentication, or other stronger authentication methods.

How to ensure HIPAA Compliance to avoid hefty fines

HIPAA compliance goes beyond the HIPAA security rule checklist. It also includes the Privacy rules, the Omnibus Rule, the Breach Notification Rule, and the Enforcement Rule. A thorough risk assessment is a must for all healthcare apps.

Arkenea has over a decade of experience in developing HITRUST and HIPAA compliant apps. We are an award-winning healthcare software development company. This makes us uniquely positioned to apply the right technical safeguards to your websites and mobile apps. Our solution architects can also help you identify and engage with the right HIPAA compliant cloud storage for your business needs.