There are plenty of checklists and guidebooks out there related to HIPAA compliance. However, it helps to go to the source to see what specific HIPAA controls are necessary to safeguard protected health information. Here are specific details on how to follow the Security Rule, as indicated directly by HHS guidelines:
- Basic Guidelines
- Vulnerability Assessments
- Administrative HIPAA Controls
- Physical HIPAA Controls
- Technical HIPAA Controls
- The Role of Business Associates
The Security Rule states that healthcare organizations must properly protect ePHI using reasonable administrative, technical, and physical HIPAA safeguards.
The following must be achieved:
- All relevant patient data that your system touches should be kept confidential and consistently available. Its integrity should be maintained as well.
- You should defend against all common threats of data breach or manipulation.
- You should make sure that any unlawful use or sharing is reasonably avoided.
- Compliance should be maintained with your staff.
What exactly is meant by confidentiality? “The Security Rule defines ‘confidentiality’ to mean that e-PHI is not available or disclosed to unauthorized persons,” says the HHS. “The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI.”
Beyond confidentiality, though, you do also need to be concerned with the issues of integrity and availability. For your data to have integrity, that means it hasn’t been manipulated or removed from the system. Availability is a characteristic of data that is accessible at all times for those with legitimate need.
Although the HHS is strict about compliance, the Security Rule does not require solutions that are explicitly defined but instead stipulates that providers use established security standards to meet the legal expectations. The right choices for infrastructure and security software are partially dependent on how large a company is, as well as its budget.
When a healthcare organization is figuring out what security tools need to be in place, they should know the flexible variables listed by the agency:
- Size of organization and what it does
- The scope and components of your IT environment
- The expenses related to security practices
- Level of risk to your data
It’s also necessary to adapt with the threat landscape rather than staying in one position for years.
The Security Rule contains a specific section of Administrative Safeguards, which include the need for regular vulnerability assessments. This element is particularly important because, says the HHS, “by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.”
Your HIPAA risk analysis checklist should include these components:
- Determine types and levels of risk
- Put mechanisms in place to reduce each risk
- Record the mechanisms and processes you’ve implemented and why
- Keep your safeguards in place on an ongoing basis.
Administrative HIPAA Controls
Proper management of security – As indicated above, it’s necessary to assess the vulnerabilities your organization has and to mitigate them with industry-standard tools and techniques .
Assignment of security role – You also want to have someone on staff who is the go-to person for these concerns. According to the HHS, “[a] covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.”
Proper management of access – The HIPAA Privacy and Security Rules are consistent on access management. Aligned with the Privacy Rule’s stipulation that disclosure should be as limited as possible, the Security Rule directs the creation of policies and procedures that authorize role-based access, specifically defining what information users can see.
Employee oversight and training – Healthcare companies need systems to authorize and manage their employees’ interaction with patient data. Regular training must occur, and there must be consequences for anyone failing to abide by your policies.
Regular review – It’s necessary to review policies and procedures on a regular basis.
Physical HIPAA Controls
Your physical location – Take steps to ensure that no unauthorized parties access any offices containing health data.
Desks & computers – You must devise specific guidelines regarding workstations and any digital devices. Additionally, the HHS delineates that “[a] covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media.”
Technical HIPAA Controls
Access – It’s necessary for healthcare organizations to develop policies that limit access to authorized individuals.
Auditing – You have to deploy tools that monitor access and use of all PHI systems.
Integrity – You have to put into place policies that reduce the likelihood of data manipulation and removal. Tools should also verify that no data is changed or deleted.
Networks – Security tools should be used to prevent anyone from accessing patient records while it is being sent through the network.
The Role of Business Associates
The HHS also indicates that the role of business associates changed when HITECH passed in 2009. Those adjustments to the law made business associates directly responsible for safeguarding protected health information.
However, just because business associates are now responsible and could be fined by the HHS just as covered entities can, your best protection is an experienced HIPPA Compliant Hosting like Atlantic.Net. We offer 100 percent uptime on SSD Cloud Servers running the most popular applications.