HIPAA Security Rule focuses on the way Protected Health Information (ePHI) is stored. Organizations like covered entities, healthcare providers, and business associates are required to undergo audits to prove they are in regulatory compliance as peace of mind to new customers. Becoming HIPAA requires assessing mitigation controls and security risk.

What Every Organization Needs to Know about HIPAA Security Rule Risk Assessment Checklist

Who Must Follow HIPAA Rules?

In 1996, HIPAA was enacted to protect health information as people moved from job to job. The US Department of Health and Human Services (HHS) also passed Protected Health Information (PHI) rule in the early 2000s to define what type of information was protected.  PHI prevented a person’s health status, healthcare payments or healthcare provisions from being disclosed to a third party. In 2005, electronic health records were also protected and stored according to HIPAA security rule regarding (ePHI). These rules outline what organizations must follow HIPAA such as the following:

  • Healthcare provider: Is anyone who is authorized to practice surgery or medicine in the state they practice such as osteopathy or medicine.
  • Covered entity: Healthcare providers, healthcare clearinghouses and health plans who electronically send health information.
  • Business associate: A business associate is anyone entity or individual involved in disclosing or protecting health information on behalf of a covered entity. It includes all third parties working with covered entities.

Becoming HIPAA Compliant

The first step to becoming HIPAA compliant is risk assessments. Risk assessments assist in determining the locations with the greatest vulnerability. An Assessment tool can be found at the Office of the National Coordinator for Health Information Technology. The helps organizations determine their risks by establishing 156 questions. Within those questions are:

  • Administrative safeguards: Administrative safeguards require organizations to focus on documenting, developing and implementing procedures and policies to manage and assess ePHI risk. During the initial review consider risk assessments. These assessments involve creating an inventory of all electronic devices, information systems and mobile media. They also include identifying threats to security, sharing document risks assessment policy with workforce members (responsible for mitigating threats) and reviewing unauthorized ePHI access.
  • Technical safeguards:  Reviewing technical safeguards are also required to become HIPAA compliant. Organizations should develop a security plan for any type of emergency, disaster recovery or continuity plan. They should also develop, document and share these plans with their employees responsible for protecting and storing health records. In addition, establish a monitoring process for all third parties. That reviews their securities and responsibilities.
  • Physical safeguards: Physical safeguards involves separating workforce members and providers roles based on their access to ePHI. Develop procedures allowing the organization’s IT department to enable, create, disable, remove and modify accounts based on their responsibilities and privileges of storing and protecting health information.

 Tips on Becoming HIPAA Compliant for 2018

There are many ways to become HIPAA compliant. However, there are some things to never overlook when becoming HIPAA compliant such as an incident response plan. With an incident response plan, it is important to establish training that aligns with workforce members’ responsibilities and roles. Also, establish mechanisms that respond and identify to known or suspected incidents such as documentation requirements and steps to mitigate risk. Provide incident response training to information system users that is consistent with all incident response policies.

It is also important to test incident response capabilities and document their effectiveness. Include ways to implement detection, containment, analysis and recovery responses as part of incident response policy. Establish any incident handling activities with a backup plan that includes all lessons learned from ongoing incident activities. These steps should be included in response procedures.

Contingency Plan Should Protect HIPAA Breaches

When creating technical safeguards, seriously consider a contingency plan that identifies essential activities that address the scope, purpose, management, responsibilities and compliance connected to accessing ePHI. The contingency plan must incorporate a variety of things that may happen such as vandalism, fire, natural disaster or system failure.

Always regularly review and update contingency policy plans. Regularly backup all information system documentation at all levels such as security-, user and system-level. Conduct audits and automated overrides of role-based access control plans and rules for all emergency situations.

Third-Party Monitoring Implementation

In addition to contingency planning, third-party monitoring is also important to complying with HIPAA. Always create and include procedures and policies that document, establish, review and modify all third-party access to health information. This third-party access monitoring should involve all transactions, processes and workstations.

Review contacts that discuss legal issues involving ePHI disclosure safeguards that are not listed in the original contract. Develop processes that create and maintain a list of authorized maintenance personnel or organizations accessing information systems, information and ePHI matching roles.

The Last Word on HIPPA Security Rule Risk Assessment Checklist for 2018

Being HIPAA compliant requires retaining information required by Executive Orders, federal laws, regulations and other operational requirements. Organizations must ensure retention includes full life-cycle such as disposal of information systems. It is required to always document record retention for at least a six-year period. This six-year period should be from the date the document was created or when it last went into effect. Provide an audit and reduction report generation software that allows on-demand audit analysis and reviews without changing the order of records or information.