Definitive Guide (2019) To HIPAA Security Rule + Checklist
Jocelyn Samuels, Director of Office of Civil Rights (Dr-OCR), sounded an alarm in February 2016 about HIPAA compliance violations. She went on record to say:
”While OCR prefers to resolve issues through voluntary compliance, […] we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules”
This is not just a blanket statement. Its effects have been seen far and wide. Just ask the University of Texas MD Anderson Cancer Center.
They paid fines of over $4.3 million in June 2018 for lack of encryption on their own ePHI storage devices. In the largest-ever HIPAA violation, Advocate Health Care Network settled HIPAA penalties for $5.5 million in February 2017. They had lost data of approximately 4 million individuals in 3 separate data breaches. Healthcare companies and vendors have spent over $75 million in HIPAA non-compliance fines since 2016.
The stringent stance of the OCR makes it mandatory to follow all the tenets of HIPAA Compliance Checklist.
One of the core components of HIPAA Compliance is the HIPAA Security Rule Checklist. It provides physical, technical, and administrative safeguards for electronically protected health information (ePHI). The security rule is an important tool to defend the confidentiality, integrity, and security of patient data.
Defining the roles considered for HIPAA Compliance
The two most important actors in the HIPAA Compliance protocols are:
1. Covered entities (CE)
A covered entity (CE) is any person, institution, or organization involved in ePHI exchange for medical billing and insurance purposes. This includes healthcare providers, healthcare clearinghouses, and health plans.
A hospital maintaining ePHI for its employees is generally not considered a CE.
However, the hospital may provide an employee health cover (or an employee assistance program) for its employees. This hospital is then covered under HIPAA as a ‘hybrid entity’ (HE). A breach of this data (part of the employee benefits program) is still considered a HIPAA Breach Incident and must be promptly reported.
2. Business associates (BA)
A business associate (BA) provides an extension service to a CE. This could be any person/institution/organization who has access to the ePHI as part of its service to CE. Typically, following associates to the CE are considered as BA:
- IT Partners
- Cloud service providers
- Any other type of service provider with access to ePHI
CE can engage third-party BA as per their own business requirement, such as HIPAA compliant cloud storage. However, they must get a signed assurance that the BA understands the rules and is ready to take measures to enforce those rules.
What is covered under the HIPAA Security Rule Checklist?
HIPAA Security Rule applies to all covered entities and business associates and has many moving parts to it.
Administrative safeguards under HIPAA Security Rule
1. Security Management Process
CEs must ensure appropriate policies and procedures are in place to detect, correct, and contain security violations. They must employ the procedures of the Risk Management Framework on an ongoing basis. The framework should also be used when implementing any new policy that uses of ePHI directly or indirectly.
2. Workforce security and Information Access Management
CEs must also ensure which employee role requires what kind of access to a patient’s ePHI and take concrete steps to enforce access control. This implies that ePHI must be not be accessed freely but only on need basis. It may involve regular updating of data permissions on a case-by-case basis.
3. Security Awareness and Training
All those who have access to ePHI at any time (and for any amount of time) must be trained in what rules to follow and how to follow them.
4. Assigned Security Responsibility
The responsibility of complying with HIPAA Security Rules must be assigned to a security officer. The CE must provide a secondary security officer as a backup in the absence of primary security officer.
5. Security Incident Procedures
All security incidents or breaches must be promptly and thoroughly reported. Additionally, the CE can also setup processes to prevent these incidents from occurring in the first place. These security support systems help predict and prevent security incidents before they occur.
6. Contingency Plans
The contingency plan must include the following:
- A disaster recovery plan
- A data backup plan
- A plan to maintain normalcy (or near-normalcy) of operations in the event of a breach
The CE must also regularly update these plans to keep pace with the evolving HIPAA regulations. The standard also defines how to handle critical software applications involved in the breach.
8. Contracts with Business Associates (BAs)
To engage the BA into its service, the CE must sign an agreement with them. This agreement must explicitly state:
- What ePHI will the BA have access to during the course of the agreement
- How it will be used
- How the BA plans to destroy/return the data after the agreement ends
So, the BA also effectively becomes a CE for the purpose of the agreement.
Physical safeguards under HIPAA Security Rule
The CE must lock their server rooms and have their access controlled and audited regularly. They can also use an appropriate number of CCTV cameras to track server room usage. The CE must also password-protect all its computers or storage devices (in all the departments) that it uses in its IT process. Security measures should also ensure these passwords are not weak and that users update them on a monthly (or quarterly) basis.
All the access standards are equally applicable to:
- desktops and laptops inside and outside the premises.
- all types of removable storage drives (USB drives, internal and external hard drives) used with these devices
Technical safeguards under HIPAA Security Rule
1. Access controls
Access to all devices and documents that store and process ePHI must be granted on a need-only basis. The CE must also regularly audit access control lists to address any discrepancies in access without delay.
2. Audit Controls
In the case of a data breach, the CE must be able to show the complete trail of the breach – including who accessed what data and when. The audit report must include enough information to prove exactly how the breach occurred.
The CE must be able to prove that it fully protects all the ePHI that its facility exchanges or stores from internal as well as external threats. When required, the CE must readily provide proof of access to breached documents.
4. Secure Transmission
The CE must secure transmission of data and access to this data at the receiving site by using appropriate security protocols. When required, the CE must be able to furnish proof of transmission security levels.
5. Personal Authentication
The CE should be able to securely prove that the person accessing the information is using only his/her own credentials. What this means is that employees must not share or lose their login credentials.
CEs must control access to ePHI through advanced authentication methods like retina scans, 2-factor authentication, or other stronger authentication methods.
How to ensure HIPAA Compliance to avoid hefty fines
HIPAA compliance goes beyond the HIPAA security rule checklist. It also includes the Privacy rules, the Omnibus Rule, the Breach Notification Rule, and the Enforcement Rule. A thorough risk assessment is a must for all healthcare apps.
Arkenea has over 8 years of experience in building HIPAA and HITRUST compliant apps. We are an award-winning healthcare software development company. This makes us uniquely positioned to apply the right technical safeguards to your websites and mobile apps. Our solution architects can also help you identify and engage with a HIPAA compliant cloud storage.