HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance.

HIPAA Checklist

Administrative Perform an ongoing risk assessment to detect any potential gaps. Conduct risk management to ensure reasonable PHI security is in place. Train staff in ePHI access protocols and how to mitigate chances of social engineering to reduce chances of cyber-intrusion. Design contingency plans to ensure continued business operations. Perform regular testing on contingency plans. Create and sign business associate agreements with any vendor or business associate who may have contact with ePHI. Record every security breach, successful or otherwise.
Physical Monitor and control access to areas that hold PHI or ePHI. Establish a written policy concerning workstation habits to inhibit accidental PHI disclosure. Create policies governing the exchange and transfer of mobile devices, which may at one time contained ePHI.
Technical Mask (anoymize) individually identifiable health information Encrypt all transmitted ePHI to meet NIST cryptographic standards Issue PIN codes, keycards, and / or passwords to authorized personnel with access to ePHI. Regularly authenticate ePHI to protect its integrity. Encrypt any device that can access ePHI. Monitor the logs of ePHI access attempts. Create auto-logoff systems to ensure workstations are secured once authorized personnel leaves the area.
HIPAA Privacy Rule Respond within 30 days to patient access requests. Inform patients and subscribers of data sharing policies through a Notice of Privacy Practices (NPP) form. Receive permission from patients to use their PHI for marketing, research, or fundraising. Conduct privacy training with the workforce to ensure understanding of the Privacy Rule. Ensure your documentation accounts for the changes in the treatment of school immunizations, ePHI restriction in disclosure to health plans, and the right of patients to their electronic records.
HIPAA Breach Notification Rule Understand the differences between a minor breach and a meaningful breach and the required measures once one is identified. Ensure that a breach is notated with: A description of the ePHI Who gained unauthorized access The degree that the data's integrity was misused or corrupted How well the safeguards mitigated any damages
HIPAA Final Omnibus Rule Update Business Associate Agreements to indicate the amendments of the Omnibus Rule. Retrieve newly signed copies of BAAs that incorporate the Omnibus information. Update privacy policies to include the Omnibus changes. Update NPPs to address the changes to authorizations and the right to privacy. This checklist does not cover the entirety of the Health Insurance Portability and Accountability Act. It's also important to note if you transfer over to a new cloud-based system, there are several additional steps required to stay compliant.