The HIPAA Compliance Checklist Your Practice Needs | Secure Cloud Backup Software | Nordic Backup

The HIPAA Compliance Checklist Your Practice Needs

HIPAA compliance is expansive. It involves strict conformity with various aspects of health information protection. In this article, we will give you an uncomplicated, easy-to-read overview and a HIPAA compliance checklist you can use to hit each mark of compliance.

The items below are not considered a complete or formal list for compliance, and you’re not guaranteed compliance by following them. This article provides guidelines. You should consult a lawyer to determine compliance requirements for your specific situation.

Does HIPAA Apply to You?

HIPAA only applies to what’s called “PHI,” or Protected Health Information. This involves any information that identifies who the health-related information belongs to. PHI includes names, email addresses, phone numbers, photos, driver’s license numbers, medical record numbers, etc. If you have something that can be used to identify a person with health information of any kind, you have PHI that needs HIPAA compliance. This information can be found in appointments, prescription lists, test results, and much more.

EPHI is protected health information stored and/or transmitted electronically. This includes email, text messages, websites, databases, electronic fax, online document storage, and cloud storage.

Step 1: HIPAA Compliance Officer

Once you’ve determined the need to proceed with compliance, you’re required to designate a HIPAA compliance officer. This officer will read and understand the federal regulations, so you don’t miss anything nor misunderstand any parts.

In addition to the officer, you should seek an attorney familiar with HIPAA. This is not required, but the attorney will be able to answer any questions you may have and advise you on any areas that aren’t clear.

Designate a HIPAA compliance officer ____

Step 2: Researching State Rules and Regulations

There are numerous federal laws pertaining to privacy of individual health information, but most states actually have their own laws and regulations in place that govern the use, collection and disclosure of health information as well. Some of these state standards may be stricter than federal standards, so it’s important to research your state’s rules and regulations regarding health information protection and privacy. Visit this website to see the laws and regulations pertaining to your state.

Research state laws ____

Step 3: HIPAA Administrative Requirements

Individuals and entities seeking HIPAA compliance should consider the following. Keep in mind an item appointed as a HIPAA “requirement” is mandatory. An item appointed as “addressable” means these standards must be implemented by the organization, unless in-depth analysis concludes that implementation isn’t appropriate or reasonable. Addressable does not mean optional.

Security Management Process

  1. Risk Analysis: Perform and document a risk analysis to determine where PHI is being used and saved. This involves determining all possible ways HIPAA may be violated.

Required ____

  1. Risk Management: Implement adequate measures to reduce these risks to an appropriate level.

Required ____

  1. Sanction Policy: Implement sanction policies for employees who fail to comply with regulations.

Required ____

  1. Information Systems Activity Reviews: Regularly monitor system activity, logs, audit trails, etc.

Required ____

Assigned Security Responsibility

  1. Officers: Designate HIPAA Security and Privacy Officers.

Required ____

Workforce Security

  1. Employee Oversight: Implement procedures to authorize, grant, and remove access, and to supervise employees who work with PHI. This ensures employee access to PHI ends with termination.

Addressable ____

Information Access Management

  1. Multiple Organizations: Ensure that PHI isn’t accessed by parent or partner organizations, subcontractors, or any other entities not authorized for access.

Required ____

  1. ePHI Access: Implement procedures that grant and document access to ePHI or to services and systems that grant access to ePHI.

Addressable ____

Security Awareness and Training

  1. Security Reminders: Regularly send updates and reminders of security and privacy policies to employees.

Addressable ____

  1. Protect Against Malware: Implement procedures that safeguard, detect, and report malicious software.

Addressable ____

  1. Login Monitoring: Monitor logins into systems and report discrepancies.

Addressable ____

  1. Password Management: Implement procedures for creating, changing and protecting passwords.

Addressable ____

Security Incident Procedures

  1. Response and Reporting: Identify, document and respond to security incidents.

Required ____

Contingency Plan

  1. Contingency Plans: Ensure there are accessible backups of ePHI and that there are procedures to restore lost data.

Required ____

  1. Contingency Plans Updates and Analysis: Implement procedures for periodic testing and revision of contingency plans.

Addressable ____

  1. Emergency Mode: Establish and implement procedures to enable continuation of critical business processes while operating in emergency mode for protection of ePHI security.

Required ____

Evaluations

  1. Evaluations: Perform recurring evaluations to detect any changes in your business or the law requirements to your HIPAA compliance procedures.

Required ____

Business Associate Contracts

  1. Business Associate Agreements: Institute special Omnibus-compliant contracts with business partners who will have access to your PHI. This ensures they will be compliant.

Required ____

Step 4: HIPAA Physical Requirements

Facility Access Controls

  1. Contingency Operations: Institute procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan.

Addressable ____

  1. Facility Security: Implement policies and procedures to safeguard the facility and the equipment from unauthorized physical access, tampering and theft.

Addressable ____

  1. Access Control and Validation: Institute procedures to control and validate individual’s access to facilities based on their role. This includes visitor control and control of access to software programs.

Addressable ____

  1. Maintenance Records: Implement policies and procedures to document repairs and alterations to physical components of a facility related to security.

Addressable ____

Workstation Use and Security

  1. Workstation Use and Security: Institute policies regarding which software must be run and how it should be configured on systems that provide access to ePHI. Restrict access to authorized users only.

Required ____

Device and Media Controls

  1. Devices and Media Disposal, and Reuse: Develop procedures for the secure disposal of media that contain ePHI, and for the reuse of devices and media that may have been previously used for ePHI.

Required ____

  1. Media Movement: Record movements of hardware and media related with ePHI storage.

Addressable ____

  1. Data Backup and Storage: Create a retrievable identical copy of ePHI before moving equipment.

Addressable ____

Step 5: HIPAA Technical Requirements

Access Control

  1. Unique User Identification: Assign a unique name and/or number to identify and track user identities.

Required ____

  1. Emergency Access: Establish and implement procedures to obtain necessary ePHI during an emergency.

Required ____

  1. Automatic Logoff: Institute electronic procedures that terminate a session after a predetermined amount of inactive time.

Addressable ____

  1. Encryption and Decryption: Implement a mechanism to encrypt and decrypt ePHI when appropriate.

Addressable ____

Audit Controls

  1. Audit Controls: Implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems containing or using ePHI.

Required ____

Integrity

  1. ePHI Integrity: Institute policies and procedures to protect ePHI from improper and unauthorized alteration or destruction.

Addressable ____

Authentication

  1. Authentication: Implement procedures that verify a person or entity requesting access to ePHI.

Required ____

Transmission Security

  1. Transmission Security: Implement security measures to safeguard unauthorized access to ePHI that is transmitted over an electronic communications network.

Addressable ____

Step 6: Research HIPAA Compliant Backup Providers

HIPAA compliant data backup is pertinent for healthcare providers. Secure backup is part of required contingency plan efforts outlined in the administrative requirements section above. Finding a backup provider with military-grade physical and electronic security components is your best option. Nordic Backup provides HIPAA compliant data backup with end-to-end encryption. To us, security is never a compromise. All medical information is safely secured in world-class data centers, fully protected from natural disaster, theft, and loss.

If your healthcare profession needs a Business Associate Agreement to meet required HIPAA compliance standards, we can create an agreement for you. Take a look at our affordable pricing plans to find the best HIPAA compliant backup solution for all the protected health information your business handles.

The above is only a brief checklist of things you need to do to become HIPAA compliant. You must refer to legal documents pertaining to your specific organization’s HIPAA requirements in order to comply with federal regulations. For more information about HIPAA compliance, visit this website.

 

Nordic Backup Blog
Unlimited Users
Share This

nb@nordic-backup.ru