HIPAA Security Rule compliance checklist for 2022

Does your organization provide healthcare services or health plans? Is your organization involved in reviewing or processing medical claims? Do you provide services that involve the access, use, or disclosure of protected health information (PHI)? If you answered yes to any of these questions, then your organization may be subject to the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA is a constantly updated federal law that ensures the continued protection of PHI from unauthorized disclosure while also facilitating PHI sharing for efficient delivery of healthcare services. In this regard, the HIPAA Security Rule was enacted in April 2005. The HIPAA Security Rule aims to protect electronic PHI by requiring covered entities and their business associates to implement three types of safeguards: administrative, physical, and technical.

To fulfill this requirement, use this handy checklist as a guide.

Read also: HIPAA compliance basics for business owners

Administrative safeguards

Your company must have a Security Officer and a Privacy Officer who will implement policies and procedures that secure ePHI. These officers have the following responsibilities:

Conduct risk assessments - identify potential risks and threats to the confidentiality, integrity, and availability of ePHI and determine the likelihood and impact of such risks
Introduce a risk management policy - implement measures to reduce identified risks to appropriate levels
Train employees to be secure - train all staff who have access to ePHI on how to protect it from unauthorized access, use, or disclosure
Develop a contingency plan - ensure the continuity of critical business processes while safeguarding the integrity of ePHI in the event of an emergency
Test of contingency plan - try out the contingency plan periodically to ensure that it will work as planned
Restrict third-party access - ensure that only the third parties that have signed Business Associate Agreements can access ePHI
Report security incidents - enable early detection of security incidents so they can be contained before they escalate to breaches 

Physical safeguards

These safeguards pertain to restricting physical access to ePHI storage devices, be they on site, in a remote data center, in a cloud provider's facility, or wherever else they may be located. The safeguard must also secure workstations and mobile devices from unauthorized access. In practical terms, this means having the following measures in place:

Facility access controls - limits who have physical access to the area where ePHI is stored and implements measures to prevent unauthorized physical access, tampering, and theft of ePHI
Policies for the use/positioning of workstations - mandates the use of passwords, badges, and PINS in order to restrict access to workstations to only authorized personnel
Policies and procedures for mobile devices - governs the removal of ePHI from devices if the device’s user leaves the organization or the device is lost, sold, or re-used
Inventory of hardware - maintains an inventory of all hardware and records movements of each piece of hardware 

Technical safeguards

Under HIPAA, you must leverage the following IT solutions and measures to protect ePHI:

Access controls - assigns each user with a unique username and password and creates procedures that manage the release or disclosure of ePHI during an emergency
Mechanism to authenticate ePHI - checks whether ePHI has been altered or destroyed in an unauthorized way
Encryption and decryption tools - renders ePHI unreadable to parties that do not have the decryption key
Activity logs and audit controls - records all attempted access to ePHI and how that data was used when it was accessed
Automatic log-off of devices - signs out authorized users from devices after a pre-defined period

 

Getting overwhelmed by all the security requirements? Don’t worry, Safebit is here to help. With us at your side, you can rest easy knowing that your tech is fully compliant with HIPAA. Get in touch with our IT experts today.