HIPAA Security Rule compliance checklist for 2022

HIPAA Security Rule compliance checklist for 2022

Does your organization provide healthcare services or health plans? Is your organization involved in reviewing or processing medical claims? Do you provide services that involve the access, use, or disclosure of protected health information (PHI)? If you answered yes to any of these questions, then your organization may be subject to the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA is a constantly updated federal law that ensures the continued protection of PHI from unauthorized disclosure while also facilitating PHI sharing for efficient delivery of healthcare services. In this regard, the HIPAA Security Rule was enacted in April 2005. The HIPAA Security Rule aims to protect electronic PHI by requiring covered entities and their business associates to implement three types of safeguards: administrative, physical, and technical.

To fulfill this requirement, use this handy checklist as a guide.

Read also: HIPAA compliance basics for business owners

Administrative safeguards

Your company must have a Security Officer and a Privacy Officer who will implement policies and procedures that secure ePHI. These officers have the following responsibilities:

- identify potential risks and threats to the confidentiality, integrity, and availability of ePHI and determine the likelihood and impact of such risks
- implement measures to reduce identified risks to appropriate levels
- train all staff who have access to ePHI on how to protect it from unauthorized access, use, or disclosure
- ensure the continuity of critical business processes while safeguarding the integrity of ePHI in the event of an emergency
- try out the contingency plan periodically to ensure that it will work as planned
- ensure that only the third parties that have signed Business Associate Agreements can access ePHI
- enable early detection of security incidents so they can be contained before they escalate to breaches 

Physical safeguards

These safeguards pertain to restricting physical access to ePHI storage devices, be they on site, in a remote data center, in a cloud provider's facility, or wherever else they may be located. The safeguard must also secure workstations and mobile devices from unauthorized access. In practical terms, this means having the following measures in place:

- limits who have physical access to the area where ePHI is stored and implements measures to prevent unauthorized physical access, tampering, and theft of ePHI
- mandates the use of passwords, badges, and PINS in order to restrict access to workstations to only authorized personnel
- governs the removal of ePHI from devices if the device’s user leaves the organization or the device is lost, sold, or re-used
- maintains an inventory of all hardware and records movements of each piece of hardware 

Technical safeguards

Under HIPAA, you must leverage the following IT solutions and measures to protect ePHI:

- assigns each user with a unique username and password and creates procedures that manage the release or disclosure of ePHI during an emergency
- checks whether ePHI has been altered or destroyed in an unauthorized way
- renders ePHI unreadable to parties that do not have the decryption key
- records all attempted access to ePHI and how that data was used when it was accessed
- signs out authorized users from devices after a pre-defined period


Getting overwhelmed by all the security requirements? Don’t worry, Safebit is here to help. With us at your side, you can rest easy knowing that your tech is fully compliant with HIPAA. Get in touch with our IT experts today.

Various cybersecurity mistakes can result in massive data breaches. Learn how your business can avoid them with our FREE eBook.LEARN MORE HERE