epractis.com

List your practice

Practice website design

HIPAA Resource Center

HIPAA Security To Do List

Did You Know?

What the difference is between HIPAA Privacy & HIPAA Security?

Privacy relates to what must be kept private.
Security relates to how you keep PHI private

HIPAA Security

Does not require extraordinary measures meet requirements.

It involves taking actions that a prudent person would agree were necessary to ensure  security of protected information. 

Does not dictate specific technologies. 

Requirements may be implemented in a number of ways, depending upon the security needs and technologies in place and upon existing business agreements.

Our HIPAA Security Administrative To Do List is designed to help you begin planning for and implementing the practices and policies necessary to comply with the security regulations outlined in HIPAA. This is not an all encompassing list, but some useful ideas on where and how to begin your compliance efforts.

Download A HIPAA Security Checklist

Administrative

HIPAA is Scalable

There is no standard way to approach HIPAA Security. Each covered entity's security program should be based on that organization's risk. Factors to evaluate risk include the organization's size, complexity and capabilities. Security controls should be proportionate to risk. The larger the organization, the more it is expected that you must do. 

Perform Risk Analysis  

Since an organization's security approach is based it's risk, a CE must do a comprehensive risk analysis. Specifically,

  • Covered entities must access their level of risk. For example, what are the associated risks that someone will exploit a problem. 
  • Covered entities must access their security practices against the HIPAA guidelines to identify any deficiencies. 
  • Following this assessment, they would determine what additional measures, if any, need to be taken to meet the security requirements.
  • Be sure the assessment is not limited to technical. It should also cover administrative and physician security.

Assessment process should be a continuous process that allows the organization to identify deficiencies and correct them on an ongoing basis.

Chain of Trust Partner Agreements 

With your legal counsel, develop a chain of trust agreement.

Contract language should require the partner to maintain the confidentiality and integrity of the protected data.

Glossary

Authentication

- Corroboration that an entity is the one claimed.
- Mechanism to identify authorized users, programs and processes and to deny unauthorized access.

Encryption

Encryption is the process of transforming information from an unsecured form into a coded form, which cannot be easily read by outside parties. The transformation process is controlled by an algorithm and a key. 

Encryption is generally regarded as the safest method of guarding against accidental or purposeful security breaches. 

Addressable

Addressable specifications does not necessary mean optional. 

All addressable items must be addressed based on an entity's own risk analysis.

All decisions about addressable items must be documented.

If an implementation specification is addressable, a CE may implement, implement an equivalent measure (if appropriate), or not implement and document.

Addressable vs Required Security Standards Matrix [pdf] - WEDI

Contingency Plan

Prepare a comprehensive contingency plan that outlines how you will respond to system emergencies.

The plan must include polices and procedures for:

  • data criticality analysis
  • data backup 
  • disaster recovery
  • emergency mode operations 
  • testing and revision procedures

Written Mechanism for Processing Records

Develop policies and procedures for receipt, manipulation, storage, dissemination, transmission, and disposal of protected health information.

Information Access Control

Develop formalized procedures for how access to data is granted, modified or revoked.

Audit

Perform regular review of systems activity (logs) to identify abnormal or suspicious activity.

Written Security Policy to Identify and Document:

  • security awareness training
  • termination procedures
  • who is responsible for security
  • personnel security clearance
  • security configuration management
  • security incident handling
  • media controls
  • physical access controls
  • workstation use 
  • passwords
  • data access, authorization and audit controls
  • entity authentication

Ongoing risk analysis and management

Security is consists of ongoing processes. It is ever-changing and requires ongoing monitoring to address new and new-found risks.

PLEASE NOTE: Information is provided as a service to our visitors. Practis takes no responsibility for it's content.  It is provided with the understanding that Practis is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. Links and information are provided as a service to our visitors. Practis takes no responsibility for their content nor connectivity.