May 25, 2016
HIPAA Compliance Checklist
HIPAA (Health Insurance Portability and Accountability Act) compliance is designed to protect patient privacy and set standards for how medical records can be shared and how they must be safeguarded. HIPAA compliance isn’t just for those directly within the healthcare industry, however. Nearly anyone dealing with electronic Protected Health Information (PHI) including doctors, hospital technicians and yes, the Managed IT Services Providers (MSPs) who manage hospital/medical office computers and networks in the cloud are required to be HIPAA compliant.
HIPAA compliance is a very serious matter. In fact, if you’re selected for an audit by the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) and you are found to be noncompliant, you may be served penalties ranging from up to $50,000 per violation, and up to $1.5 million per year across all HIPAA violation categories. That type of penalty can severely hurt your bottom line, so ensure that you’re always HIPAA compliant. And the best way to stay compliant is with our ultimate HIPAA Compliance Checklist.
3 Core Components of the HIPAA Security Rule
Recent rule changes to HIPAA compliance means that all Business Associates (BAs) are now subject to the requirements of the security rule, including risk analysis, implementation of security procedures, training and having a breach response plan in place. At its core, the HIPAA compliance security rule can be broken down into three distinct components:
Physical safeguards – This means actually and physically protecting your facility and servers – locking doors, using access badges to get into secure areas, and with surveillance cameras monitoring. Most compliance experts suggest that one of the best physical safeguards you can have is simply controlling access of the PHI, based on job functions.
Technical safeguards – These safeguards govern the electronic access to the PHI within the cloud networks. Some key components of this to include in your HIPAA compliance checklist include:
- Access control – each user requires a unique ID and password
- Multi-factor identification – all electronic logins require multiple pieces of data to sign in, such as an auto-generated PIN number
- Encryption on everything – encryption scrambles your ePHI so that those records can only be accessed by people who hold the encryption key. This should include all data in motion, using a TLS-secured connection to access records in the cloud, and should ideally be end-to-end encryption.
- A comprehensive backup and disaster recovery plan (BDR) – Much of HIPAA compliance is centered around security and prevention, but there is a component that includes what to do when disaster strikes. Your BDR plan should consist of disaster declarations, a detailed disaster list, data backup and alternate site guides, and a PHI recovery plan.
Administrative safeguards – This sounds like a lot of paperwork but this type of training, process-implementation and documentation is actually some of the most important aspects of getting HIPAA compliance right. Some recommended administrative safeguards to include in your HIPAA compliance checklist include:
- Signing Business Associate Agreements (BAAs) with all your partners. The term Business Associates (BAs) has expanded in recent years to include anyone who transports, stores or processes PHI, any subcontractors or subcontractors under a subcontractor, no matter how far downstream from the original entity, and all third-party data and document storage companies.
- Listing out each business associate and set out rules for what data they have access to and what to do in case of accidental disclosure.
- Making sure all your employees understand data security, create strong passwords, and avoid inadvertently downloading malicious software or sending sensitive data in unsecured emails.
- Creating a process for auditing data and controlling how that data is preserved, changed or destroyed
- Creating systems to prevent leaks
- Reviewing all changes at least once a year
Other Considerations for Your HIPAA Compliance Checklist
The three safeguards – physical, technical and administrative – are a great start to ensuring that you are fully HIPAA compliant, but there are always additional measures to take to really feel like you are no longer at risk of uncovering a breach during an audit.
Compliance experts suggest conducting a risk analysis in accordance with the National Institute of Standards and Technology (NIST) guidelines. The NIST produces Standard Reference Materials (SRM) that you can refer to when conducting your risk assessment.
Service-level agreements (SLAs) are also an important part of staying HIPAA compliant between you and your MSP partner. One great way to improve your SLAs is to have more precise terms, especially in offering guaranteed response times for routing changes, security threats and non-critical additions.
Finally, along with security rules, HIPAA compliance also entails several privacy rule obligations. This includes having an accounting of disclosures available, all PHI to be kept in a designated record set and the cooperation with all compliance investigations performed by the OCR.
HIPAA compliance is no laughing matter, and using this HIPAA compliance checklist to ensure your MSP and its partners remain fully compliant at all times is a great way toward staying out of the hot spotlight of OCR audits, avoid paying hefty fines and maintaining your reputation as an expert in security and compliance.